Out-of-bounds read in main function (src/bins/zzdir.c)

[ProbeFuzzer]

On latest version (0.13.67) and master branch of zziplib: there is an out-of-bounds read (resulting in segmentation fault and program crash) in main function of zzdir.c, which could be triggered by the following POC file.

The issue happens since the zzip_compr_str function could be manipulated by a crafted zip file to return an invalid address. Once the address is passed to main function of zzdir.c, it causes a segmenation fault.

To reproduce, run command: ./zzdir $POC POC: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_zzdir_invalid-memory-access_main.zip

(gdb) l 69 zzip_char_t * 70 zzip_compr_str(int compr) 71 { 72 if (0 <= compr && compr < sizeof(comprlevel)) 73 { 74 return comprlevel[compr]; 75 } else if (0 < compr && compr < 256) 76 { 77 return "zipped"; 78 } else (gdb) p comprlevel[compr] $8 = 0x4728203a43434700 <Address 0x4728203a43434700 out of bounds> (gdb) bt

0 zzip_compr_str (compr=64) at ../../src/zzip/info.c:74

1 0x0000000000400bd9 in main (argc=2, argv=0x7fffffffdd88) at ../../src/bins/zzdir.c:64

[gdraheim]

some "unzzip -l" should be comparable but test_63014 does not reproduce the problem

[gdraheim]

after checking the download-sized, and adding an explicit testcase with zzdir, the problem is not shown in

make test_63018

It just has a problem printing with "Invalid or incomplete multibyte or wide character"

[gdraheim]

checking back with v0.13.67 the testcase does actually show a bus error.

As the testcase is fine on master, one may consider this problem to be => fixed