Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite Loop Vulnerability in unzip_match function (src/runzip.c) #88

Closed
ProbeFuzzer opened this issue Jan 12, 2018 · 2 comments
Closed

Comments

@ProbeFuzzer
Copy link

ProbeFuzzer commented Jan 12, 2018

on 0.6.31 (the latest version):
there is an infinite loop and application hang in the unzip_match function (src/runzip.c), which can be triggered by the POC with command lrzip -t $POC

Looking into the unzip_match function (src/runzip.c), we found that in the while loop (line 220), the "offset" could be manipulated by a crafted lrz file (line 208). When offset is set to zero, n will always be zero (line 221), which in turn causes len always be non-zero, the infinite loop occurs.

The code segment is:
182 static i64 read_fdhist(rzip_control *control, void *buf, i64 len)
...
208 offset = read_vchars(control, ss, 0, chunk_bytes);
....
220 while (len) {
221 n = MIN(len, offset);
...
237 len -= n;
238 off_buf += n;
239 total += n;
240 }

POC:
https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_infinite-loop_unzip_match.lrz

The gdb backtrack is as follows:
(gdb) bt
#0 0x0000000000455782 in md5_process_bytes ()
#1 0x0000000000434e76 in unzip_match ()
#2 0x0000000000435ae4 in runzip_chunk ()
#3 0x00000000004364a3 in runzip_fd ()
#4 0x0000000000418704 in decompress_file ()
#5 0x000000000040d0f4 in main ()

@carnil
Copy link

carnil commented Jan 13, 2018

This issue is CVE-2018-5650

@ckolivas
Copy link
Owner

Fixed in 50cfb3b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants