Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Jan 2015 04:07:21 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 197017] segfault in unzip (libarchive) with malformed zip
Message-ID:  <bug-197017-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197017

            Bug ID: 197017
           Summary: segfault in unzip (libarchive) with malformed zip
           Product: Base System
           Version: 10.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: freebsd@delnoch.net

Created attachment 152045
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=152045&action=edit
zip that causes unzip to segfault

Running afl-fuzz on unzip I've run into the following -

0x00000008008877e8 in process_extra (p=0x802041022 "UT\t", extra_length=28,
zip_entry=0x802055020) at
/usr/src/lib/libarchive/../../contrib/libarchive/libarchive/archive_read_support_format_zip.c:1716
1716                                            gidsize = p[offset+2+uidsize];
Current language:  auto; currently minimal
(gdb) p offset
$1 = 17
(gdb) p uidsize
$2 = -124


% zipdetails out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:52 

0000 LOCAL HEADER #1       04034B50
0004 Extract Zip Spec      0A '1.0'
0005 Extract OS            00 'MS-DOS'
0006 General Purpose Flag  0000
0008 Compression Method    0000 'Stored'
000A Last Mod Time         463718E0 'Fri Jan 23 03:07:00 2015'
000E CRC                   72051312
0012 Compressed Length     0000000F
0016 Uncompressed Length   0000000F
001A Filename Length       0004
001C Extra Length          001C
001E Filename              'test'
0022 Extra ID #0001        5455 'UT: Extended Timestamp'
0024   Length              0009
0026   Flags               '03 mod access'
0027   Mod Time            54C1BAD4 'Fri Jan 23 03:07:00 2015'
002B   Access Time         54C1BAD4 'Fri Jan 23 03:07:00 2015'
002F Extra ID #0002        7875 'ux: Unix Extra Type 3'
0031   Length              000B
0033   Version             01
0034   UID Size            84
Truncated file (got 120, wanted 132):

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197017-8>