[Bug]: stack-buffer-overflow in unzzip(version 0.13.72, commit 6699e0fe)

[benehalo]

This bug may be caused by the same reason as this issue #143.

Crash Inputs

Here are the files that trigger the bug - zip.c_347_44-in-__zzip_fetch_disk_trailer.zip

Bug Description

I apply ASan (Address Sanitizer) to check for errors and report the detected errors as follows.

AddressSanitizer: stack-buffer-overflow on address 0x7ffc2a71c471 at pc 0x0000004cad54 bp 0x7ffc2a71bff0 sp 0x7ffc2a71bfe8
READ of size 8 at 0x7ffc2a71c471 thread T0
    #0 0x4cad53 in __zzip_fetch_disk_trailer /data/code/zziplib/zzip/zip.c:347:44
    #1 0x4cad53 in __zzip_dir_parse /data/code/zziplib/zzip/zip.c:763:15
    #2 0x4cad53 in zzip_dir_fdopen_ext_io /data/code/zziplib/zzip/zip.c:731:15
    #3 0x4cb32b in zzip_dir_open_ext_io /data/code/zziplib/zzip/zip.c:847:16
    #4 0x4c4914 in unzzip_cat /data/code/zziplib/bins/unzzipcat-zip.c:59:12
    #5 0x7f599d95c082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c39d in _start (/data/program/zziplib/orig-asan/bin/unzzip+0x41c39d)

Address 0x7ffc2a71c471 is located in stack of thread T0 at offset 1137 in frame
    #0 0x4c997f in zzip_dir_fdopen_ext_io /data/code/zziplib/zzip/zip.c:723

  This frame has 2 object(s):
    [32, 78) 'dirent.i.i' (line 413)
    [112, 1136) 'buffer.i.i' (line 189) <== Memory access at offset 1137 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/code/zziplib/zzip/zip.c:347:44 in __zzip_fetch_disk_trailer
Shadow bytes around the buggy address:
  0x1000054db830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000054db880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
  0x1000054db890: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x1000054db8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000054db8c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000054db8d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==264726==

How to Reproduce

The aforementioned bug can be stably reproduced in version 0.13.72 (commit id 6699e0fe).

1. Download the zziplib source code with the official link.
2. Using clang/clang++ (10.0.0-4ubuntu1), build zziplib with ASan.
   • -U_FORTIFY_SOURCE -fsanitize=address -g
3. Execute unzzip with the provided input files.
   • eg: /data/program/zziplib/orig-asan/bin/unzzip -p <input-file-path>

[gdraheim]

it seems to be fixed, test added.