Skip to content

Deallocation of control->suffix corrupts Heap Memory #216

Closed
@pietroborrello

Description

@pietroborrello

The suffix field in the static rzip_control structure is initialized to point to global memory in initialize_control

lrzip/lrzip.c

Line 1341 in 64eb4a8

control->suffix = ".lrz";

and in the lrzip main.

lrzip/main.c

Line 496 in 6a1600b

control->suffix = optarg;

However the field is then treated as a heap allocated variable while freeing the rzip_control variable.
Both in rzip_control_free

lrzip/rzip.c

Line 1269 in 465afe8

dealloc(control->suffix);

and when setting a new suffix

dealloc(lr->control->suffix);

Impact

Corrupting the heap state may result in an exploitable vulnerability, especially if initialized with optarg that points to global RW memory.

Fix
It is sufficient to initialize control->suffix using the return value of a strdup of the strings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions