-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deallocation of control->suffix corrupts Heap Memory #216
Comments
Good grief! This has been around since v0.1 and rzip before, even before I became involved (v0.19). The initialise function should be used for setting constants or like-size variables, like compression level, etc. Setting control->suffix to equal |
Great, thank you! Will checkout |
Fixed in master. |
Retrospective note: This seems to have been a CVE assigned, which is CVE-2022-28044. |
Hello, is there a simple reproducer for this one? |
The
suffix
field in thestatic rzip_control
structure is initialized to point to global memory in initialize_controllrzip/lrzip.c
Line 1341 in 64eb4a8
and in the lrzip main.
lrzip/main.c
Line 496 in 6a1600b
However the field is then treated as a heap allocated variable while freeing the
rzip_control
variable.Both in
rzip_control_free
lrzip/rzip.c
Line 1269 in 465afe8
and when setting a new suffix
lrzip/liblrzip.c
Line 439 in 465afe8
Impact
Corrupting the heap state may result in an exploitable vulnerability, especially if initialized with
optarg
that points to global RW memory.Fix
It is sufficient to initialize
control->suffix
using the return value of astrdup
of the strings.The text was updated successfully, but these errors were encountered: