heap-buffer-overflow bug in buffer_new

[gy741]

Hello.

I found a heap-buffer-overflow bug in libzip.

Please confirm.

Thanks.

Summary: heap-buffer-overflow
OS: CentOS 7 64bit
Version: commit 17485a2
PoC Download: Ov_buffer_new.zip
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./ziptool $PoC cat index

=================================================================
==31998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000138 at pc 0x7f43e49cb855 bp 0x7ffc49d62410 sp 0x7ffc49d62408
WRITE of size 8 at 0x602000000138 thread T0
    #0 0x7f43e49cb854 in buffer_new /home/karas/libzip/lib/zip_source_buffer.c:465:46
    #1 0x7f43e49ca2d6 in zip_source_buffer_fragment_create /home/karas/libzip/lib/zip_source_buffer.c:133:19
    #2 0x7f43e49c9f35 in zip_source_buffer_create /home/karas/libzip/lib/zip_source_buffer.c:106:12
    #3 0x7f43e49c9f35 in zip_source_buffer /home/karas/libzip/lib/zip_source_buffer.c:89
    #4 0x7f43e49deddf in _zip_source_zip_new /home/karas/libzip/lib/zip_source_zip_new.c:101:9
    #5 0x7f43e49ba7a2 in zip_fopen_index_encrypted /home/karas/libzip/lib/zip_fopen_index_encrypted.c:50:14
    #6 0x515f3d in cat /home/karas/libzip/src/ziptool.c:181:13
    #7 0x51a5bf in dispatch /home/karas/libzip/src/ziptool.c:728:10
    #8 0x51a5bf in main /home/karas/libzip/src/ziptool.c:889
    #9 0x7f43e3679c04 in __libc_start_main (/lib64/libc.so.6+0x21c04)
    #10 0x41c10b in _start (/home/karas/libzip/build/src/ziptool+0x41c10b)

0x602000000139 is located 0 bytes to the right of 9-byte region [0x602000000130,0x602000000139)
allocated by thread T0 here:
    #0 0x4dfe6d in realloc /home/karas/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
    #1 0x7f43e49cad94 in buffer_grow_fragments /home/karas/libzip/lib/zip_source_buffer.c:397:23
    #2 0x7f43e49cad94 in buffer_new /home/karas/libzip/lib/zip_source_buffer.c:441

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/libzip/lib/zip_source_buffer.c:465:46 in buffer_new
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 07 fa fa fd fd fa fa 00 01 fa fa fd fd
  0x0c047fff8010: fa fa 05 fa fa fa fd fa fa fa 00 03 fa fa 00 00
=>0x0c047fff8020: fa fa 00 00 fa fa 00[01]fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31998==ABORTING

[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]

[dillof]

Thanks for the reoprt, it should be fixed in commit e3e5573.