Closed glen-mac closed 5 years ago
Thanks for reporting. It is fixed with https://github.com/inikep/lizard/commit/02491c71c2e6fd5c10997404df2f18d0fc7afadb
@inikep, if this is indeed fixed and @glen-mac has no other concerns, perhaps you can close this issue now?
Just trying to help keep your repo tidy. 😆
Thanks, Doug®
Hey there,
I have come across a vulnerability in the lizard decompressor, whereby a negative size integer is passed to
memcpy()
. This occurs in lib/lizard_decompress_liz.h:207.Since
memcpy()
takes thelength
and treats it as asize_t
, this results in an excessive copy fromctx->literalsPtr
intoop
.This was found while fuzzing commit 6a1ed71450148c8aed57de3179b1bdd81800bada (current latest as of this date).
By controlling the number of bytes passed as
length
, this results in memory corruption which can lead to execution control.Find the POC file here: poc.zip.
As follows is the ASAN output:
In the example above, with a memcpy size of -8, this value is interpreted as an unsigned integer and the memcpy continues until there is a page fault due to unmapped memory and the process terminates:
To demonstrate that the memcpy size value can be controlled by an attacker, I have attached a series of crashes that result from a differing memcpy size value. lizard_crashes.zip