Bus error in __zzip_parse_root_directory (in zzip/zip.c:482) [CVE-2018-7726]

[fantasy7082]

In ZZIPlib v0.13.68, there is a bus error caused by the __zzip_parse_root_directory function of zzip/zip.c. attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.
To reproduce the issue, run: ./zzdir $POC:

gdb ../../zzip-fuzz/bin/zzdir
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../../zzip-fuzz/bin/zzdir...done.
(gdb) r c005-bus-zzip_parse_root_directory
Starting program: /usr/local/zzip-fuzz/bin/zzdir c005-bus-zzip_parse_root_directory

Program received signal SIGBUS, Bus error.
__zzip_parse_root_directory (fd=3, trailer=trailer@entry=0x7fffffffe1f0, hdr_return=hdr_return@entry=0x603038, io=0x7ffff7dd5da0 <default_io>) at ../../zzip/zip.c:482
482	        if (! zzip_disk_entry_check_magic(d)) {
(gdb) bt
#0  __zzip_parse_root_directory (fd=3, trailer=trailer@entry=0x7fffffffe1f0, hdr_return=hdr_return@entry=0x603038, io=0x7ffff7dd5da0 <default_io>) at ../../zzip/zip.c:482
#1  0x00007ffff7bc6a72 in __zzip_dir_parse (dir=0x603010) at ../../zzip/zip.c:750
#2  zzip_dir_fdopen_ext_io (fd=<optimized out>, errcode_p=errcode_p@entry=0x7fffffffe26c, ext=<optimized out>, io=<optimized out>) at ../../zzip/zip.c:708
#3  0x00007ffff7bc72ee in zzip_dir_open_ext_io (filename=filename@entry=0x7fffffffe71c "c005-bus-zzip_parse_root_directory", e=e@entry=0x7fffffffe26c, ext=ext@entry=0x0, io=<optimized out>, io@entry=0x0) at ../../zzip/zip.c:830
#4  0x00007ffff7bce53b in zzip_opendir_ext_io (filename=0x7fffffffe71c "c005-bus-zzip_parse_root_directory", o_modes=0, ext=0x0, io=0x0) at ../../zzip/dir.c:292
#5  0x0000000000400d11 in main (argc=2, argv=<optimized out>) at ../../bins/zzdir.c:41
(gdb)

POC FILE:https://github.com/fantasy7082/image_test/blob/master/c005-bus-zzip_parse_root_directory

[stevebeattie]

This was assigned CVE-2018-7726.

[gdraheim]

fixed - checking rootseek to be positive

[gdraheim]

done.