Closed ProbeFuzzer closed 6 years ago
The POC download link is not working.
@abergmann Thanks, the poc link should work now.
test_63119 does not reproduce the problem
after checking the download-sizes of the zip, it can still not be reproduced
make test_63114
just says "Zipfile corrupted"
checking back with v0.13.67 the testcase does actually show the problem.
As this testcase is fine on master now, it can be regarded as => fixed
On latest version (0.13.67) and master branch: there is an infinite loop in unzzip_cat_file function of src/bins/unzzipcat-zip.c, which could be triggered by the POC below.
The issue happens since in the while loop (line 31), the "len" could be manipulated by a crafted zip file and always equals -1.
Recommending fix: check whether "len > 0".
To reproduce the issue, run command: ./unzzip -p $POC POC: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_infinite-loop_unzzip_cat_file.zip