Skip to content

Crash in roaring64_bitmap_remove_many #742

New issue
New issue
Closed
#751
Closed
Crash in roaring64_bitmap_remove_many#742
#751
Assignees
SLieve
Labels
bug
@hgarrereyn

Description

@hgarrereyn
hgarrereyn
opened on Sep 29, 2025

Hi, there seems to be a bug in roaring64_bitmap_remove_many where once the bitmap is empty, the next attempt to remove a value hits a segmentation fault.

This is reachable if vals covers more values than exist in the bitmap or if e.g. there are duplicate values in vals.

Tested on eecaabc1

(found via automated fuzzing)

The following testcase demonstrates the issue:

testcase.cpp

#include <cstdint>
#include "roaring/roaring64.h"
int main() {
  // Create a bitmap containing a single value 0
  roaring64_bitmap_t* r = roaring64_bitmap_from(123ULL, 124ULL);
  // Bulk remove the same value twice
  uint64_t vals[3] = {123ULL, 124ULL, 125ULL};
  roaring64_bitmap_remove_many(r, 3, vals);
  return 0;
}

crash report

==12==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561239dc0f1d bp 0x7ffc82a8e410 sp 0x7ffc82a8e340 T0)
==12==The signal is caused by a READ memory access.
==12==Hint: address points to the zero page.
    #0 0x561239dc0f1d in array_container_remove /fuzz/src/include/roaring/containers/array.h:322:43
    #1 0x561239dc0f1d in container_remove /fuzz/src/include/roaring/containers/containers.h:536:13
    #2 0x561239dc0699 in roaring64_bitmap_remove_bulk /fuzz/src/src/roaring64.c:748:13
    #3 0x561239dc1a53 in roaring64_bitmap_remove_many /fuzz/src/src/roaring64.c:780:9
    #4 0x561239db5526 in main /fuzz/workspace/test.cpp:8:3
    #5 0x7fc21525ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7fc21525ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x561239cda2f4 in _start (/fuzz/workspace/test+0x2e2f4) (BuildId: a98820112c3aa7e4d14084711cde13b4f90d1a8b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzz/src/include/roaring/containers/array.h:322:43 in array_container_remove

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions