undefined behaviour / invalid shiftleft in compress_bidder_init #547

Closed
hannob opened this Issue May 20, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@hannob
Contributor

hannob commented May 20, 2015

This file will trigger a shiftleft of 31 bytes of a signed 32 bit integer:
https://crashes.fuzzing-project.org/libarchive-undefined-shiftleft
(just two bytes - 1f 9d)

A shiftleft of the full size of a variable type is undefined in c. This can be seen by compiling libarchive with -fsanitize=undefined and trying to unpack the file (bsdtar -xf).

Here's the error message / crash dump:
libarchive/archive_read_support_filter_compress.c:244:22: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
#0 0x6a96b6 in compress_bidder_init /f/libarchive/libarchive/libarchive/archive_read_support_filter_compress.c:244:20
#1 0x5fe76a in choose_filters /f/libarchive/libarchive/libarchive/archive_read.c:598:8
#2 0x5ec8c2 in archive_read_open1 /f/libarchive/libarchive/libarchive/archive_read.c:512:7
#3 0x691b9c in archive_read_open_filenames /f/libarchive/libarchive/libarchive/archive_read_open_filename.c:152:10
#4 0x690407 in archive_read_open_filename /f/libarchive/libarchive/libarchive/archive_read_open_filename.c:109:9
#5 0x513532 in read_archive /f/libarchive/libarchive/tar/read.c:225:6
#6 0x51835b in tar_mode_x /f/libarchive/libarchive/tar/read.c:114:2
#7 0x4fee52 in main /f/libarchive/libarchive/tar/bsdtar.c:805:3
#8 0x7f1be89a4f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#9 0x442206 in _start (/f/libarchive/libarchive/bsdtar+0x442206)

SUMMARY: AddressSanitizer: undefined-behavior libarchive/archive_read_support_filter_compress.c:244

@kientzle kientzle self-assigned this Jul 14, 2015

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle Aug 9, 2015

Contributor

Fixed in f0b1dbb

Contributor

kientzle commented Aug 9, 2015

Fixed in f0b1dbb

@kientzle kientzle closed this Aug 9, 2015

@petterreinholdtsen

This comment has been minimized.

Show comment
Hide comment
@petterreinholdtsen

petterreinholdtsen Jun 29, 2016

According to https://security-tracker.debian.org/tracker/CVE-2015-8932 this is a security issue with ID CVE-2015-8932.

According to https://security-tracker.debian.org/tracker/CVE-2015-8932 this is a security issue with ID CVE-2015-8932.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment