Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid read in function copy_from_lzss_window() when unpacking malformed rar #521

Closed
kwrobot opened this issue Apr 11, 2015 · 1 comment

Comments

@kwrobot
Copy link

kwrobot commented Apr 11, 2015

Original issue 413 created by Google Code user hanno@hboeck.de on 2015-03-05T09:37:02.000Z:

Attached file will cause an invalid read access in the function copy_from_lzss_window(). This can be seen with address sanitizer or valgrind.

Found with american fuzzy lop.

Address Sanitizer crash dump:
==30812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed74 at pc 0x00000048f530 bp 0x7fffaf958c70 sp 0x7fffaf958430
READ of size 48 at 0x60200000ed74 thread T0
    #0 0x48f52f in __asan_memcpy (/mnt/ram/libarchive-master/bsdtar+0x48f52f)
    #1 0x624619 in copy_from_lzss_window /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2888:7
    #2 0x61ddfd in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2029:11
    #3 0x61ddfd in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x6c7d03 in archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_virtual.c:161:10
    #6 0x54a542 in copy_data /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:139:7
    #7 0x54a542 in archive_read_extract2 /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:101
    #8 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #9 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #10 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #11 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #12 0x4c412c in _start (/mnt/ram/libarchive-master/bsdtar+0x4c412c)

0x60200000ed74 is located 0 bytes to the right of 4-byte region [0x60200000ed70,0x60200000ed74)
allocated by thread T0 here:
    #0 0x4a6d8e in realloc (/mnt/ram/libarchive-master/bsdtar+0x4a6d8e)
    #1 0x62726f in parse_codes /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2295:18
    #2 0x617ea1 in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1921:41
    #3 0x617ea1 in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #6 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #7 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #8 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

See attachment: bsdtar-invalid-read.rar
See attachment: bsdtar-invalid-read.rar.asan.txt

@kientzle
Copy link
Contributor

Commit 603454e adds checks here to reject requests to copy more data than is available in the decompression buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants