Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory read on zip file in function trad_enc_decrypt_update() after entering empty password #523

Closed
kwrobot opened this issue Apr 11, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@kwrobot
Copy link

commented Apr 11, 2015

Original issue 415 created by Google Code user hanno@hboeck.de on 2015-03-06T11:03:58.000Z:

bsdtar will detect the attached zip file as password protected. When entering nothing (just press enter) it will cause an invalid memory read access.

Found with american fuzzy lop.

==27792==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x6169dd bp 0x7ffff41b2ef0 sp 0x7ffff41b2ee0
READ of size 1 at 0x631000010800 thread T0
    #0 0x6169dc in trad_enc_decrypt_update libarchive/archive_read_support_format_zip.c:251
    #1 0x6169dc in zip_read_data_none libarchive/archive_read_support_format_zip.c:1159
    #2 0x6169dc in archive_read_format_zip_read_data libarchive/archive_read_support_format_zip.c:1797
    #3 0x4a342d in copy_data libarchive/archive_read_extract2.c:139
    #4 0x4a342d in archive_read_extract2 libarchive/archive_read_extract2.c:101
    #5 0x41c088 in read_archive tar/read.c:361
    #6 0x41d3ab in tar_mode_x tar/read.c:104
    #7 0x40d4d9 in main tar/bsdtar.c:805
    #8 0x7f83a55e6f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #9 0x412d3c (/data/fuzzretest/bsdtar+0x412d3c)

0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
    #0 0x7f83a70cf6f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x4a648c in file_open libarchive/archive_read_open_filename.c:358

See attachment: pwcrash.zip
See attachment: pwcrash.zip.asan.txt

@kientzle

This comment has been minimized.

Copy link
Contributor

commented May 16, 2015

Good find!

I believe this is completely fixed in commit eff35d4. I want to also add a test around this to make sure it doesn't recur.

@kientzle kientzle added this to the 3.2 milestone Aug 9, 2015

@kientzle

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2016

Deferring further work on this to 3.2.1.

@kientzle kientzle modified the milestones: 3.2.1, 3.2 Apr 3, 2016

@kientzle kientzle closed this Jun 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.