search

ckolivas / lrzip

Long Range Zip
http://lrzip.kolivas.org
GNU General Public License v2.0
618 stars 76 forks source link

Divide By Zero in bufRead::get (src/libzpaq/libzpaq.h) #89

Closed ProbeFuzzer closed 6 years ago

ProbeFuzzer commented 6 years ago

on 0.631 (the latest version) and the latest master branch: there is a divide-by-zero problem in the bufRead::get function (src/libzpaq/libzpaq.h) that causes the program crash, which can be triggered by the POC with command lrzip -t $POC

POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_divide-by-zero_bufRead-get.lrz

This problem happens because in line 468 of src/libzpaq/libzpaq.h, the denominator ("total_len") could be manipulated by a crafted lrz file. 466 int get() { 467 if (progress && !(s_len % 128)) { 468 int pct = (total_len - s_len) * 100 / total_len; ...

The error message is provided below: Decompressing... Failed to decompress buffer - lzmaerr=1 Failed to decompress buffer - lzmaerr=1 Failed to decompress buffer - lzmaerr=1 Failed to decompress buffer - lzmaerr=1 Failed to decompress buffer - lzmaerr=1 Floating point exception

The back trace is as follows: [Switching to Thread 0x7ffff611f700 (LWP 12257)] 0x000000000042a998 in bufRead::get (this=0x7ffff611ee50) at ../src/libzpaq/libzpaq.h:468 468 int pct = (total_len - s_len) 100 / total_len; (gdb) bt

0 0x000000000042a998 in bufRead::get (this=0x7ffff611ee50) at ../src/libzpaq/libzpaq.h:468

1 0x000000000042423c in libzpaq::Decompresser::findBlock (this=0x7ffff6103c00, memptr=0x0) at ../src/libzpaq/libzpaq.cpp:1236

2 0x0000000000429f2a in libzpaq::decompress (in=in@entry=0x7ffff611ee50, out=out@entry=0x7ffff611ee30)

at ../src/libzpaq/libzpaq.cpp:1363

3 0x000000000042a0e5 in zpaq_decompress (s_buf=, d_len=d_len@entry=0x7ffff611eed8,

c_buf=c_buf@entry=0x65c030 '\316' <repeats 199 times>, <incomplete sequence \316>..., c_len=0, msgout=<optimized out>, 
progress=<optimized out>, thread=2) at ../src/libzpaq/libzpaq.h:538

4 0x0000000000411337 in zpaq_decompress_buf (thread=2, ucthread=0x65aec0, control=0x6439a0 ) at ../src/stream.c:453

5 ucompthread (data=0x0) at ../src/stream.c:1534

6 0x00007ffff7204e25 in start_thread () from /lib64/libpthread.so.0

7 0x00007ffff6a1934d in clone () from /lib64/libc.so.6

(gdb) p total_len $4 = 0 (gdb) p *s_len $5 = 0

ProbeFuzzer commented 6 years ago

duplicate of https://github.com/ckolivas/lrzip/issues/66. But the problem is still in the latest commit.

ckolivas commented 6 years ago

Fixed