On latest version (v0.631) and commit (38386bd) of lrzip, there is an infinite loop in runzip_fd function of src/runzip.c, which could be triggered by the POC below.
The issue happens since the return value of runzip_chunk (line 382) function could be manipulated to be 0. In this case, total is always smaller than expected_size.
370 i64 runzip_fd(rzip_control *control, int fd_in, int fd_out, int fd_hist, i64 expected_size)
371 {
...
381 do {
382 u = runzip_chunk(control, fd_in, expected_size, total);
...
387 total += u;
...
407 } while (total < expected_size || (!expected_size && !control->eof));
...
486 return total;
487 }
The full stack trace is:
#0 0x00007fe8261fb154 in _fxstat () from /lib64/libc.so.6 #1 0x000000000043ae89 in fstat (__statbuf=0x7fffffffd2a0, __fd=7) at /usr/include/sys/stat.h:470 #2 runzip_chunk (tally=0, expected_size=, fd_in=, control=)
at /u/test/test/product/lrzip/master/src/runzip.c:301 #3 runzip_fd (control=control@entry=0x7b4cc0 <local_control>, fd_in=fd_in@entry=7, fd_out=fd_out@entry=8, fd_hist=fd_hist@entry=9, expected_size=)
at /u/test/test/product/lrzip/master/src/runzip.c:382 #4 0x0000000000419554 in decompress_file (control=0x7b4cc0 <local_control>) at /u/test/test/product/lrzip/master/src/lrzip.c:838 #5 0x0000000000409185 in main (argc=, argv=) at /u/test/test/product/lrzip/master/src/main.c:675
The text was updated successfully, but these errors were encountered:
On latest version (v0.631) and commit (38386bd) of lrzip, there is an infinite loop in runzip_fd function of src/runzip.c, which could be triggered by the POC below.
The issue happens since the return value of runzip_chunk (line 382) function could be manipulated to be 0. In this case, total is always smaller than expected_size.
To reproduce the issue, run: ./lrzip -t $POC
lrzip_0-631_lrzip_infinite-loop_runzip_fd.lrz.zip
The full stack trace is:
#0 0x00007fe8261fb154 in _fxstat () from /lib64/libc.so.6
#1 0x000000000043ae89 in fstat (__statbuf=0x7fffffffd2a0, __fd=7) at /usr/include/sys/stat.h:470
#2 runzip_chunk (tally=0, expected_size=, fd_in=, control=)
at /u/test/test/product/lrzip/master/src/runzip.c:301
#3 runzip_fd (control=control@entry=0x7b4cc0 <local_control>, fd_in=fd_in@entry=7, fd_out=fd_out@entry=8, fd_hist=fd_hist@entry=9, expected_size=)
at /u/test/test/product/lrzip/master/src/runzip.c:382
#4 0x0000000000419554 in decompress_file (control=0x7b4cc0 <local_control>) at /u/test/test/product/lrzip/master/src/lrzip.c:838
#5 0x0000000000409185 in main (argc=, argv=) at /u/test/test/product/lrzip/master/src/main.c:675
The text was updated successfully, but these errors were encountered: