CVE-2021-28027

Name of the Vulnerable Software and Affected Versions: bam versions prior to 0.1.3

Description: An issue was discovered in the bam crate, where there is an integer underflow and out-of-bounds write during the loading of a bgzip block. This occurs when the length of an internal buffer is set using self.compressed.set len(block size - HEADER SIZE - MIN EXTRA SIZE), and then written into it. If the block size is too small, the subtraction can overflow negatively to a large number past the capacity of self.compressed, resulting in memory corruption in the form of writing out of bounds when loading a bgzip file with a small block size.

Recommendations: For versions prior to 0.1.3, update to version 0.1.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of small block size values when loading bgzip files to minimize the risk of exploitation.