Date: Fri, 08 Oct 2021 19:52:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259011] unzip omits a check for NULL and can seg-fault Message-ID: <bug-259011-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259011 Bug ID: 259011 Summary: unzip omits a check for NULL and can seg-fault Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 228524 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D228524&action= =3Dedit A zip file that causes unzip to seg-fault. extract() in /usr/src/usr.bin/unzip/unzip.c says=20 pathname =3D pathdup(archive_entry_pathname(e)); but archive_entry_pathname(e) can return NULL for some names, causing pathdup() to seg-fault. I've attached a demo zip file. % unzip -n - < unzip1.zip Archive: (null) Segmentation fault (core dumped) The backtrace: #0 0x00000008004ec25f in strlen () from /lib/libc.so.7 #1 0x0000000000205175 in pathdup (path=3D0x0) at /usr/src/usr.bin/unzip/unzip.c:209 #2 0x0000000000204c0c in extract (a=3D0x801018000, e=3D0x801012500) at /usr/src/usr.bin/unzip/unzip.c:695 #3 0x0000000000204314 in unzip (fn=3D0x0) at /usr/src/usr.bin/unzip/unzip.= c:903 #4 0x000000000020395a in main (argc=3D3, argv=3D0x7fffffffe868) at /usr/src/usr.bin/unzip/unzip.c:1069 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259011-227>