Closed kky0h closed 5 years ago
This was assigned CVE-2018-16548
I seem to be unable to reproduce the issue with the latest sources. Maybe the bug is already fixed? There IS a free(dir->hdr0) in zzip_dir_free()! I tried with valgrind and it says All heap blocks were freed -- no leaks are possible
I tried with valgrind and it says(latest sources and old version)
~/testapp/zziplib-0.13.69/test$ valgrind --leak-check=full ./fuzz_zzip zzip-memory-leak
==186527== Memcheck, a memory error detector
==186527== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==186527== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==186527== Command: ./fuzz_zzip zzip-memory-leak
==186527==
==186527==
==186527== HEAP SUMMARY:
==186527== in use at exit: 76 bytes in 1 blocks
==186527== total heap usage: 2 allocs, 1 frees, 196 bytes allocated
==186527==
==186527== 76 bytes in 1 blocks are definitely lost in loss record 1 of 1
==186527== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==186527== by 0x4012B1: __zzip_parse_root_directory (zip.c:427)
==186527== by 0x4019D5: __zzip_dir_parse (zip.c:757)
==186527== by 0x4018BE: zzip_dir_fdopen_ext_io (zip.c:715)
==186527== by 0x401BBA: zzip_dir_open_ext_io (zip.c:831)
==186527== by 0x401B3D: zzip_dir_open (zip.c:808)
==186527== by 0x400B4D: main (fuzz_zzip.c:21)
==186527==
==186527== LEAK SUMMARY:
==186527== definitely lost: 76 bytes in 1 blocks
==186527== indirectly lost: 0 bytes in 0 blocks
==186527== possibly lost: 0 bytes in 0 blocks
==186527== still reachable: 0 bytes in 0 blocks
==186527== suppressed: 0 bytes in 0 blocks
==186527==
==186527== For counts of detected and suppressed errors, rerun with: -v
==186527== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 1)
You can try again with the code I post above,and input file https://github.com/Kingkingyoung/fuzz_test/blob/poc/zzip-memory-leak After debugging with gdb, it seems in this case ,the p_reclen=0(zip.c:576), so the dir->hdr0 =0, zzip_dir_free() don't free hdr0, I 'm not sure whether it is correct,you can try again.
Valgrind said 'a memory error detector' as you post. My sources are also git clone from the master tree.And I also test released version 0.13.68 and 0.13.69. All of them have this problem. I just use '-g' and '-static' when I compile the test code.
Yes, it was early morning ;-) I did test with ZIP files downloaded from the 'net, yours is a misformed one, __zzip_parse_root_directory() then takes an error return and the hdr0 is not free()'d.
@jmoellers are those the complete commits, to fix the reported issue? https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99, https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687 and https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb
On 04.10.2018 23:14, carnil wrote:
@jmoellers https://github.com/jmoellers are those the complete commits, to fix the reported issue? 0e1dadb https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99, d2e5d5c https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687 and 9411bde https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb
Yes.
Josef
There are memory leaks in zziplib <=v0.13.69 which is trigged in __zzip_parse_root_directory(in zzip/zip.c:427) I wrote a demo based on the documentation.
when i use https://github.com/Kingkingyoung/fuzz_test/blob/poc/zzip-memory-leak memory leak happened
It seems hdr0(zzip/zip.c:427) doesn't free correctly in some cases.