Bus error when handling (root seek of disk64_trailer) in zzip_disk_findfirst (src/zzip/mmapped.c) [CVE-2018-6542]

[ProbeFuzzer]

On latest version (0.13.67) and master branch of zziplib: there is a bus error (when handling seek of disk64_trailer) caused by loading of misaligned address in zzip_disk_findfirst function of src/zzip/mmapped.c, which could be triggered by the POC below. Note that this issue is different from https://github.com/gdraheim/zziplib/issues/15.

The issue happens since the pointer "trailer" (line 444) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. The POC is as small as 100 bytes.

444             zzip_size_t rootseek = zzip_disk64_trailer_get_rootseek(trailer);

To reproduce the issue, run: ./unzip-mem -p $POC The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip

master/src/zzip/mmapped.c:444:25: runtime error: load of misaligned address 0x7f798f31e163 for type 'uint64_t', which requires 8 byte alignment 0x7f798f31e163: note: pointer points here 71 00 00 00 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^

[abergmann]

CVE-2018-6542 was assigned to this issue. https://nvd.nist.gov/vuln/detail/CVE-2018-6542

[gdraheim]

can not reproduce in test_65427 on master

[gdraheim]

after double-checking the download-size of the zip, the error is now reproduced in

make test_65422

[gdraheim]

turns out that the fopen may have failed, after which the testcase is OK

[gdraheim]

checking back with v0.13.67 where the testcase had shown the problem => fixed