Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-based buffer overflow WRITE in bz3_decode_block() #94

Closed
asarubbo opened this issue Mar 22, 2023 · 2 comments
Closed

heap-based buffer overflow WRITE in bz3_decode_block() #94

asarubbo opened this issue Mar 22, 2023 · 2 comments

Comments

@asarubbo
Copy link

By using the code from decompress-file

With:

./decompress_file $FILE

I get:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6d6ec6c800 at pc 0x0000004a23aa bp 0x7ffe6a63f330 sp 0x7ffe6a63eb00
WRITE of size 3275521 at 0x7f6d6ec6c800 thread T0
    #0 0x4a23a9 in __asan_memcpy /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7f6d72c49f9d in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:709:23
    #2 0x7f6d72c4e7a6 in bz3_decompress /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:883:9
    #3 0x4dd3ac in main /root/bzip3/fuzz.c:43:17
    #4 0x7f6d7297e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f6d7297e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x41d5c0 in _start (/usr/bin/bzip3_fuzz+0x41d5c0)

Full log and testcase:
bzip3.zip

@kspalaiologos
Copy link
Owner

Fixed in 33b1951.

@stevebeattie
Copy link

FYI, this issue was assigned CVE-2023-29421.

(I didn't assign the issue, I just noticed it while triaging new CVEs.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants