Closed
Description
The suffix field in the static rzip_control structure is initialized to point to global memory in initialize_control
Line 1341 in 64eb4a8
and in the lrzip main.
Line 496 in 6a1600b
However the field is then treated as a heap allocated variable while freeing the rzip_control variable.
Both in rzip_control_free
Line 1269 in 465afe8
and when setting a new suffix
Line 439 in 465afe8
Impact
Corrupting the heap state may result in an exploitable vulnerability, especially if initialized with optarg that points to global RW memory.
Fix
It is sufficient to initialize control->suffix using the return value of a strdup of the strings.
Metadata
Metadata
Assignees
Labels
No labels