Description
On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address when handling disk64_trailer local entries in __zzip_fetch_disk_trailer function of src/zzip/zip.c, which could be triggered by the POC below.
The issue happens since the struct zzip_disk_trailer "orig" (line 336) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. This issue is different from CVE-2018-6484, and arises when invoking a different function.
336 zzip_disk64_trailer_localentries(orig);
337 trailer->zz_finalentries =
338 zzip_disk64_trailer_finalentries(orig);
To reproduce the issue, run: ./unzzip -p $POC
https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip
master/src/zzip/zip.c:336:25: runtime error: load of misaligned address 0x7f1d4f853036 for type 'uint64_t', which requires 8 byte alignment
0x7f1d4f853036: note: pointer points here
03 dd e5 69 50 5a 50 4b 03 dd e5 69 50 5a 50 4b 06 14 00 0b 00 06 14 00 00 00 00 00 00 00 61 55
^