Invalid read in function copy_from_lzss_window() when unpacking malformed rar #521

Closed
kwrobot opened this Issue Apr 11, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 413 created by Google Code user hanno@hboeck.de on 2015-03-05T09:37:02.000Z:

Attached file will cause an invalid read access in the function copy_from_lzss_window(). This can be seen with address sanitizer or valgrind.

Found with american fuzzy lop.

Address Sanitizer crash dump:
==30812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed74 at pc 0x00000048f530 bp 0x7fffaf958c70 sp 0x7fffaf958430
READ of size 48 at 0x60200000ed74 thread T0
    #0 0x48f52f in __asan_memcpy (/mnt/ram/libarchive-master/bsdtar+0x48f52f)
    #1 0x624619 in copy_from_lzss_window /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2888:7
    #2 0x61ddfd in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2029:11
    #3 0x61ddfd in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x6c7d03 in archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_virtual.c:161:10
    #6 0x54a542 in copy_data /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:139:7
    #7 0x54a542 in archive_read_extract2 /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:101
    #8 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #9 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #10 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #11 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #12 0x4c412c in _start (/mnt/ram/libarchive-master/bsdtar+0x4c412c)

0x60200000ed74 is located 0 bytes to the right of 4-byte region [0x60200000ed70,0x60200000ed74)
allocated by thread T0 here:
    #0 0x4a6d8e in realloc (/mnt/ram/libarchive-master/bsdtar+0x4a6d8e)
    #1 0x62726f in parse_codes /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2295:18
    #2 0x617ea1 in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1921:41
    #3 0x617ea1 in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #6 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #7 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #8 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

See attachment: bsdtar-invalid-read.rar
See attachment: bsdtar-invalid-read.rar.asan.txt

@kientzle kientzle self-assigned this May 10, 2015

@kientzle kientzle added this to the 3.2.1 milestone Jun 17, 2016

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle Jun 19, 2016

Contributor

Commit 603454e adds checks here to reject requests to copy more data than is available in the decompression buffer.

Contributor

kientzle commented Jun 19, 2016

Commit 603454e adds checks here to reject requests to copy more data than is available in the decompression buffer.

@kientzle kientzle closed this Jun 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment