Description
On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address in __zzip_fetch_disk_trailer function of src/zzip/zip.c, which could be triggered by the POC below.
The issue happens since the struct zzip_disk_trailer "orig" (line 318) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. The POC is as small as 100 bytes.
312 struct zzip_disk_trailer *orig =
313 (struct zzip_disk_trailer *) tail;
...
318 trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig);
To reproduce the issue, run: ./zzdir $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip
master/src/zzip/zip.c:315:43: runtime error: load of misaligned address 0x7f079d64a027 for type 'uint16_t', which requires 2 byte alignment
0x7f079d64a027: note: pointer points here
00 00 00 20 01 40 00 70 47 50 50 50 51 55 50 50 50 50 50 50 00 00 00 00 00 00 00 00 00 00 00 00
^