Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

undefined behaviour / invalid shiftleft in compress_bidder_init #547

Closed
hannob opened this issue May 20, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@hannob
Copy link
Contributor

commented May 20, 2015

This file will trigger a shiftleft of 31 bytes of a signed 32 bit integer:
https://crashes.fuzzing-project.org/libarchive-undefined-shiftleft
(just two bytes - 1f 9d)

A shiftleft of the full size of a variable type is undefined in c. This can be seen by compiling libarchive with -fsanitize=undefined and trying to unpack the file (bsdtar -xf).

Here's the error message / crash dump:
libarchive/archive_read_support_filter_compress.c:244:22: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
#0 0x6a96b6 in compress_bidder_init /f/libarchive/libarchive/libarchive/archive_read_support_filter_compress.c:244:20
#1 0x5fe76a in choose_filters /f/libarchive/libarchive/libarchive/archive_read.c:598:8
#2 0x5ec8c2 in archive_read_open1 /f/libarchive/libarchive/libarchive/archive_read.c:512:7
#3 0x691b9c in archive_read_open_filenames /f/libarchive/libarchive/libarchive/archive_read_open_filename.c:152:10
#4 0x690407 in archive_read_open_filename /f/libarchive/libarchive/libarchive/archive_read_open_filename.c:109:9
#5 0x513532 in read_archive /f/libarchive/libarchive/tar/read.c:225:6
#6 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#7 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#8 0x7f1be89a4f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#9 0x442206 in _start (/f/libarchive/libarchive/bsdtar+0x442206)

SUMMARY: AddressSanitizer: undefined-behavior libarchive/archive_read_support_filter_compress.c:244

@kientzle kientzle self-assigned this Jul 14, 2015

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015

@kientzle

This comment has been minimized.

Copy link
Contributor

commented Aug 9, 2015

Fixed in f0b1dbb

@kientzle kientzle closed this Aug 9, 2015

@petterreinholdtsen

This comment has been minimized.

Copy link

commented Jun 29, 2016

According to https://security-tracker.debian.org/tracker/CVE-2015-8932 this is a security issue with ID CVE-2015-8932.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.