Infinite Loop in unzzip_cat_file function (src/bins/unzzipcat-zip.c)

[ProbeFuzzer]

On latest version (0.13.67) and master branch: there is an infinite loop in unzzip_cat_file function of src/bins/unzzipcat-zip.c, which could be triggered by the POC below.

The issue happens since in the while loop (line 31), the "len" could be manipulated by a crafted zip file and always equals -1.
Recommending fix: check whether "len > 0".

 25 static void unzzip_cat_file(ZZIP_DIR* disk, char* name, FILE* out)
 26 {
 27     ZZIP_FILE* file = zzip_file_open (disk, name, 0);
 28     if (file) 
 29     {
 30         char buffer[1024]; int len;
 31         while ((len = zzip_file_read (file, buffer, 1024))) 
 32         {
 33             fwrite (buffer, 1, len, out);
 34         }
 35         
 36         zzip_file_close (file);
 37     }
 38 }

To reproduce the issue, run command: ./unzzip -p $POC POC: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_infinite-loop_unzzip_cat_file.zip

[abergmann]

The POC download link is not working.

[ProbeFuzzer]

@abergmann Thanks, the poc link should work now.

[gdraheim]

test_63119 does not reproduce the problem

[gdraheim]

after checking the download-sizes of the zip, it can still not be reproduced

make test_63114

just says "Zipfile corrupted"

[gdraheim]

checking back with v0.13.67 the testcase does actually show the problem.

As this testcase is fine on master now, it can be regarded as => fixed