Description
On latest version (0.13.67) and master branch of zziplib:
there is a segmentation fault caused by invalid memory access in zzip_disk_fread function (src/zzip/mmapped.c), which could be triggered by a POC with only 152 bytes.
The issue happens since with the crafted zip file, in line 685 of zzip_disk_fread function, "size" variable could be much larger than the capacity of "file->stored". Note that this function is in library code, which means programs based on libzzip could be affected.
683 if (file->stored)
684 {
685 memcpy(ptr, file->stored, size);
686 file->stored += size;
687 file->avail -= size;
688 return size;
689 }
To reproduce the issue, run: ./unzip-mem $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip
The backtrace is:
(gdb) bt
#0 0x00007ffff7740427 in __memcpy_ssse3 () from /lib64/libc.so.6
#1 0x00007ffff7bd7cd3 in zzip_disk_fread (ptr=0x7fffffffd7b0, sized=1024, nmemb=1, file=0x604280) at ../../src/zzip/mmapped.c:685
#2 0x00007ffff7bd8a86 in zzip_mem_disk_fread (ptr=0x7fffffffd7b0, size=1024, nmemb=1, file=0x604280) at ../../src/zzip/memdisk.c:495
#3 0x0000000000400c8c in zzip_mem_entry_pipe (disk=0x604060, entry=0x604080, out=0x6047e0) at ../../src/bins/unzip-mem.c:89
#4 0x0000000000400cfe in zzip_mem_entry_make (disk=0x604060, entry=0x604080) at ../../src/bins/unzip-mem.c:100
#5 0x00000000004017b5 in zzip_mem_entry_makeall (disk=0x604060) at ../../src/bins/unzip-mem.c:310
#6 0x0000000000401c7f in main (argc=2, argv=0x7fffffffdd48) at ../../src/bins/unzip-mem.c:399