Stack-buffer-overflow in unzzip_cat_file function in src/bins/unzzipcat-zip.c

[wcventure]

Hi, there.

Stack-buffer-overflow was discovered in unzzip_cat_file function in src/bins/unzzipcat-zip.c, as distributed in zziplib 0.13.69. A crafted Compressed file can cause segment faults and I have confirmed them with address sanitizer too.

Here are the POC files. Please use "./unzzip $POC" to reproduce the error.
POC.zip

git log
commit b7747bc40a66ccdfa4860957e989db6dd8f0eb92

The ASAN dumps the stack trace as follows:

=================================================================
==178388==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd79c36e40 at pc 0x00000049c69c bp 0x7ffd79c36a10 sp 0x7ffd79c361c0
READ of size 4096 at 0x7ffd79c36e40 thread T0
    #0 0x49c69b in __interceptor_fwrite.part.51 /llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1092
    #1 0x514362 in unzzip_cat_file /zziplib/x86_64-pc-linux-gnu/bins/../../bins/unzzipcat-zip.c:39:6
    #2 0x514362 in unzzip_cat /zziplib/x86_64-pc-linux-gnu/bins/../../bins/unzzipcat-zip.c:78
    #3 0x7f3e9ab9282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x41a318 in _start (/zziplib/build/bin/unzzip+0x41a318)

Address 0x7ffd79c36e40 is located in stack of thread T0 at offset 1056 in frame
    #0 0x513ebf in unzzip_cat /zziplib/x86_64-pc-linux-gnu/bins/../../bins/unzzipcat-zip.c:47

  This frame has 4 object(s):
    [32, 1056) 'buffer.i' (line 36)
    [1184, 1188) 'error' (line 51) <== Memory access at offset 1056 partially underflows this variable
    [1200, 1224) 'entry10' (line 67) <== Memory access at offset 1056 partially underflows this variable
    [1264, 1288) 'entry29' (line 84) <== Memory access at offset 1056 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /llvm-6.0.1/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1092 in __interceptor_fwrite.part.51
Shadow bytes around the buggy address:
  0x10002f37ed70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37ed90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37eda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37edb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002f37edc0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
  0x10002f37edd0: f2 f2 f2 f2 f2 f2 f2 f2 04 f2 00 00 00 f2 f2 f2
  0x10002f37ede0: f2 f2 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x10002f37edf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002f37ee10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==178388==ABORTING