Closed ProbeFuzzer closed 6 years ago
This issue was assigned CVE-2018-6381
The POC download link is not working.
@abergmann Thanks, the poc link should work now.
@gdraheim Thanks for fixing this issue.
test_63817 works OK
a check for the size was added, and the testcase is fixed now
On latest version (0.13.67) and master branch of zziplib: there is a segmentation fault caused by invalid memory access in zzip_disk_fread function (src/zzip/mmapped.c), which could be triggered by a POC with only 152 bytes.
The issue happens since with the crafted zip file, in line 685 of zzip_disk_fread function, "size" variable could be much larger than the capacity of "file->stored". Note that this function is in library code, which means programs based on libzzip could be affected.
683 if (file->stored) 684 { 685 memcpy(ptr, file->stored, size); 686 file->stored += size; 687 file->avail -= size; 688 return size; 689 }
To reproduce the issue, run: ./unzip-mem $POC The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip
The backtrace is: (gdb) bt
0 0x00007ffff7740427 in __memcpy_ssse3 () from /lib64/libc.so.6
1 0x00007ffff7bd7cd3 in zzip_disk_fread (ptr=0x7fffffffd7b0, sized=1024, nmemb=1, file=0x604280) at ../../src/zzip/mmapped.c:685
2 0x00007ffff7bd8a86 in zzip_mem_disk_fread (ptr=0x7fffffffd7b0, size=1024, nmemb=1, file=0x604280) at ../../src/zzip/memdisk.c:495
3 0x0000000000400c8c in zzip_mem_entry_pipe (disk=0x604060, entry=0x604080, out=0x6047e0) at ../../src/bins/unzip-mem.c:89
4 0x0000000000400cfe in zzip_mem_entry_make (disk=0x604060, entry=0x604080) at ../../src/bins/unzip-mem.c:100
5 0x00000000004017b5 in zzip_mem_entry_makeall (disk=0x604060) at ../../src/bins/unzip-mem.c:310
6 0x0000000000401c7f in main (argc=2, argv=0x7fffffffdd48) at ../../src/bins/unzip-mem.c:399