Skip to content

Infinite Loop Vulnerability in get_fileinfo (src/lrzip.c) #91

Closed
@ProbeFuzzer

Description

@ProbeFuzzer

On latest version (0.631) and the master branch,
there is an infinite loop and application hang in the get_fileinfo function (src/lrzip.c), which can be triggered by the POC with command: lrzip -i $POC

Looking into the get_fileinfo function (src/lrzip.c), we found that: in the "do {} while(last_head)" loop, the "last_head" variable is affected by the POC file and always non-zero, and "lseek" in line 1041 continuously moves file cursor to the same position. That means, "last_head" is always assigned the value from the same file position, resulting in infinite loop.

934 bool get_fileinfo(rzip_control *control)
...
   1036                 do {
    ...
      1041                         if (unlikely(head_off = lseek(fd_in, last_head + ofs, SEEK_SET) == -1))
      1042                                 fatal_goto(("Failed to seek to header data in get_fileinfo\n"), error);
      1043                         if (unlikely(!get_header_info(control, fd_in, &ctype, &c_len, &u_len,
      1044                                         &last_head, chunk_byte)))
      1045                                 return false;
      ...
      1069                 } while (last_head);

POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_infinite-loop_get_fileinfo.lrz

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions