Closed huanglei3 closed 1 year ago
While I normally do not like to deal with files that lrzip-next
did not create, this bug was interesting. The macro unlikely(v1)
and unlikely(v2)
macros did not function as predicted. This fix deals with your issue. We struggled over the years with protecting against bad data and this is one more fix...
diff --git a/src/stream.c b/src/stream.c
index 9d74383..00dd660 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -1491,11 +1491,12 @@ again:
print_err("Wrong password?\n");
goto failed;
}
- if (unlikely(v1)) {
+ /* protect again 0 length c_ and u_ len */
+ if (v1 < 1) {
print_err("Unexpected initial c_len %'"PRId64" in streams %'"PRId64"\n", v1, v2);
goto failed;
}
- if (unlikely(v2)) {
+ if (v2 < 1) {
print_err("Unexpected initial u_len %'"PRId64" in streams\n", v2);
goto failed;
}
lrzip-next Version
lzma 23.01(default)
lrzip-next command line
./lrzip-next -vvt file
What happened?
./lrzip-next -vvt poc The following options are in effect for this INTEGRITY TEST. Threading is ENABLED. Number of CPUs detected: 4 Detected 8,287,764,480 bytes ram Nice Value: 19 Show Progress Max Verbose Test file integrity Temporary Directory set as: /tmp/ Malloced 2,762,588,160 for tmp_outbuf Detected lrzip version 0.6 file. MD5 being used for integrity testing. Validating file for consistency...[OK] Detected lrzip version 0.6 file. Decompressing...
Reading chunk_bytes at 24 Expected size: 8,324,128 Chunk byte width: 2 Reading eof flag at 25 EOF: 1 Reading expected chunksize at 26 Chunk size: 4,096 Reading stream 0 header at 29 Reading stream 1 header at 36 Reading ucomp header at 43 Fill_buffer stream 0 c_len 2 u_len 10 last_head 0 Starting thread 0 to decompress 2 bytes from stream 0 AddressSanitizer:DEADLYSIGNAL
==3820161==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f367294d769 bp 0x000000000002 sp 0x7f35c9cee600 T1) ==3820161==The signal is caused by a READ memory access. ==3820161==Hint: address points to the zero page.
0 0x7f367294d768 in bz3_decode_block src/libbz3.c:619
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/libbz3.c:619 in bz3_decode_block Thread T1 created by T0 here:
0 0x7f3672ad7815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
==3820161==ABORTING
What was expected behavior?
work well
Steps to reproduce
1.install bzip3 2.install lrzip-next 3.exec:./lrzip-next -vvt poc
Relevant log output
No response
Please provide system details
OS Distro: Kernel Version (uname -a): Linux ubuntu 5.15.0-78-generic #85~20.04.1-Ubuntu SMP Mon Jul 17 09:42:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux System ram (free -h): total used free shared buff/cache available Mem: 7.7Gi 4.8Gi 546Mi 4.0Mi 2.4Gi 2.6Gi Swap: 2.0Gi 1.0Mi 2.0Gi
Additional Context
you can download poc file from this link : https://github.com/huanglei3/lrzip-next-poc/tree/main