New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in bz3_decompress() #97
Comments
That input file is malformed:
The malformation is properly caught by bzip3 tool:
src/main.c of bzip3 tool first expects "BZ3v1" magic string and then 4 bytes of a little-endian unsigned integer. Contrary, examples/decompress-file.c has a very naive parser which blindly interprets first sizeof(size_t) bytes as a size_t value. It does not consider that a size and an endianess of size_t differ among platforms. |
@ppisar your analisys is perfect and in other words that mean that the library in not strong enough to survive to malformed inputs |
examples/decompress-file.c is not the library. I cannot comment on the library because I did not study it. |
Because the example code does not check for memory allocation failures, for reasons mentioned before, I am marking this issue as invalid. Please consider to further test your findings to make sure that they are an actual issue in the library, not a problem caused by contract violations - ideally problems that can be reproduced with regular
Further SAIS-related fuzzing and issues are welcome. |
I respect your opinion but let me say that I saw a lot of cve assigned for similar cases. When you can crash a library in this way by using its api, usually is a library fault. |
Contract violations are not bugs in the library. By this logic, the C standard library crashing when you try to seek on a The example code is not a part of the library. It is not distributed in the release tarballs (see https://github.com/kspalaiologos/bzip3/blob/master/Makefile.am#L1). You have not found an issue in bzip3 v1.2.3 because the file |
I'm pretty sure we are talking about different things. The full reproduction command is:
I don't understand why are you talking about a missing file. I see that the issue happens on |
notice: it is impossible to determine whether the buffer passed to
notice: |
I think bz3_decompress() and other high-level functions could check all the passed pointers for NULL and return BZ3_ERR_INIT if there is any. Not superproof, but helps to discover programming mistakes early. |
On v1.2.3, reproducibile via
examples/decompress-file.c
Testcase:
6.crashes.bz3.zip
If you want to make a new tag, I will test if the bfa5bf8 works as expected
The text was updated successfully, but these errors were encountered: