on 0.6.31 (the latest version):
there is an infinite loop and application hang in the unzip_match function (src/runzip.c), which can be triggered by the POC with command lrzip -t $POC
Looking into the unzip_match function (src/runzip.c), we found that in the while loop (line 220), the "offset" could be manipulated by a crafted lrz file (line 208). When offset is set to zero, n will always be zero (line 221), which in turn causes len always be non-zero, the infinite loop occurs.
The code segment is:
182 static i64 read_fdhist(rzip_control *control, void *buf, i64 len)
...
208 offset = read_vchars(control, ss, 0, chunk_bytes);
....
220 while (len) {
221 n = MIN(len, offset);
...
237 len -= n;
238 off_buf += n;
239 total += n;
240 }
The gdb backtrack is as follows:
(gdb) bt
#0 0x0000000000455782 in md5_process_bytes () #1 0x0000000000434e76 in unzip_match () #2 0x0000000000435ae4 in runzip_chunk () #3 0x00000000004364a3 in runzip_fd () #4 0x0000000000418704 in decompress_file () #5 0x000000000040d0f4 in main ()
The text was updated successfully, but these errors were encountered:
on 0.6.31 (the latest version):
there is an infinite loop and application hang in the unzip_match function (src/runzip.c), which can be triggered by the POC with command lrzip -t $POC
Looking into the unzip_match function (src/runzip.c), we found that in the while loop (line 220), the "offset" could be manipulated by a crafted lrz file (line 208). When offset is set to zero, n will always be zero (line 221), which in turn causes len always be non-zero, the infinite loop occurs.
The code segment is:
182 static i64 read_fdhist(rzip_control *control, void *buf, i64 len)
...
208 offset = read_vchars(control, ss, 0, chunk_bytes);
....
220 while (len) {
221 n = MIN(len, offset);
...
237 len -= n;
238 off_buf += n;
239 total += n;
240 }
POC:
https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_infinite-loop_unzip_match.lrz
The gdb backtrack is as follows:
(gdb) bt
#0 0x0000000000455782 in md5_process_bytes ()
#1 0x0000000000434e76 in unzip_match ()
#2 0x0000000000435ae4 in runzip_chunk ()
#3 0x00000000004364a3 in runzip_fd ()
#4 0x0000000000418704 in decompress_file ()
#5 0x000000000040d0f4 in main ()
The text was updated successfully, but these errors were encountered: