Invalid memory read on zip file in function trad_enc_decrypt_update() after entering empty password #523

Closed
kwrobot opened this Issue Apr 11, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 415 created by Google Code user hanno@hboeck.de on 2015-03-06T11:03:58.000Z:

bsdtar will detect the attached zip file as password protected. When entering nothing (just press enter) it will cause an invalid memory read access.

Found with american fuzzy lop.

==27792==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x6169dd bp 0x7ffff41b2ef0 sp 0x7ffff41b2ee0
READ of size 1 at 0x631000010800 thread T0
    #0 0x6169dc in trad_enc_decrypt_update libarchive/archive_read_support_format_zip.c:251
    #1 0x6169dc in zip_read_data_none libarchive/archive_read_support_format_zip.c:1159
    #2 0x6169dc in archive_read_format_zip_read_data libarchive/archive_read_support_format_zip.c:1797
    #3 0x4a342d in copy_data libarchive/archive_read_extract2.c:139
    #4 0x4a342d in archive_read_extract2 libarchive/archive_read_extract2.c:101
    #5 0x41c088 in read_archive tar/read.c:361
    #6 0x41d3ab in tar_mode_x tar/read.c:104
    #7 0x40d4d9 in main tar/bsdtar.c:805
    #8 0x7f83a55e6f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #9 0x412d3c (/data/fuzzretest/bsdtar+0x412d3c)

0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
    #0 0x7f83a70cf6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x4a648c in file_open libarchive/archive_read_open_filename.c:358

See attachment: pwcrash.zip
See attachment: pwcrash.zip.asan.txt

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle May 16, 2015

Contributor

Good find!

I believe this is completely fixed in commit eff35d4. I want to also add a test around this to make sure it doesn't recur.

Contributor

kientzle commented May 16, 2015

Good find!

I believe this is completely fixed in commit eff35d4. I want to also add a test around this to make sure it doesn't recur.

@kientzle kientzle added this to the 3.2 milestone Aug 9, 2015

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle Apr 3, 2016

Contributor

Deferring further work on this to 3.2.1.

Contributor

kientzle commented Apr 3, 2016

Deferring further work on this to 3.2.1.

@kientzle kientzle modified the milestones: 3.2.1, 3.2 Apr 3, 2016

@kientzle kientzle closed this Jun 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment