search

ckolivas / lrzip

Long Range Zip
http://lrzip.kolivas.org
GNU General Public License v2.0
618 stars 76 forks source link

A use-after-free in the concurrent environment on ucthread[i] #166

Closed ycaibb closed 3 years ago

ycaibb commented 4 years ago

Dear Developers:

Our static analysis tool reports a concurrency use-after-free due to race conditions in stream.c#L1865 and stream.c#L1515.

The code snippets are as follows.

static void *ucompthread(void *data)
{
          ...;
    dealloc(data);
    uci = &ucthread[i]; // alreadly freed
         ...;
    if (uci->c_type != CTYPE_NONE) {
        switch (uci->c_type) {
            case CTYPE_LZMA:
                ret = lzma_decompress_buf(control, uci);  //use site
                break;
            case CTYPE_LZO:
                ret = lzo_decompress_buf(control, uci);  //use site
                break;
            case CTYPE_BZIP2: 
                ret = bzip2_decompress_buf(control, uci);  //use site
                break;
            case CTYPE_GZIP:
                ret = gzip_decompress_buf(control, uci);  //use site
                break;
            case CTYPE_ZPAQ:
                ret = zpaq_decompress_buf(control, uci, i);  //use site
                break;
            default:
                failure_return(("Dunno wtf decompression type to use!\n"), NULL);
                break;
        }
    }
} 
int close_stream_in(rzip_control *control, void *ss)
{
    ....;
    output_thread = 0;
    dealloc(ucthread);   // line1865
    dealloc(threads); 
    dealloc(sinfo->s);
    dealloc(sinfo);

    return 0;
}

Thank you.

ckolivas commented 3 years ago

Fixed in git master.