Read zero page memory

[huanglei3]

lrzip-next Version

lzma 23.01(default)

lrzip-next command line

./lrzip-next -vvt file

What happened?

./lrzip-next -vvt poc
The following options are in effect for this INTEGRITY TEST.
Threading is ENABLED. Number of CPUs detected: 4
Detected 8,287,764,480 bytes ram
Nice Value: 19
Show Progress
Max Verbose
Test file integrity
Temporary Directory set as: /tmp/
Malloced 2,762,588,160 for tmp_outbuf
Detected lrzip version 0.6 file.
MD5 being used for integrity testing.
Validating file for consistency...[OK]
Detected lrzip version 0.6 file.
Decompressing...

Reading chunk_bytes at 24
Expected size: 8,324,128
Chunk byte width: 2
Reading eof flag at 25
EOF: 1
Reading expected chunksize at 26
Chunk size: 4,096
Reading stream 0 header at 29
Reading stream 1 header at 36
Reading ucomp header at 43
Fill_buffer stream 0 c_len 2 u_len 10 last_head 0
Starting thread 0 to decompress 2 bytes from stream 0
AddressSanitizer:DEADLYSIGNAL

==3820161==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f367294d769 bp 0x000000000002 sp 0x7f35c9cee600 T1)
==3820161==The signal is caused by a READ memory access.
==3820161==Hint: address points to the zero page.
#0 0x7f367294d768 in bz3_decode_block src/libbz3.c:619
#1 0x5647df109fe8 in bzip3_decompress_buf /home/tanzheng/fuzz_zip_next/lrzip-next/src/stream.c:632
#2 0x5647df109fe8 in ucompthread /home/tanzheng/fuzz_zip_next/lrzip-next/src/stream.c:1918
#3 0x7f367280e608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#4 0x7f36723e5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libbz3.c:619 in bz3_decode_block
Thread T1 created by T0 here:
#0 0x7f3672ad7815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x5647df10edb9 in create_pthread /home/tanzheng/fuzz_zip_next/lrzip-next/src/stream.c:145

==3820161==ABORTING

What was expected behavior?

work well

Steps to reproduce

1.install bzip3
2.install lrzip-next
3.exec:./lrzip-next -vvt poc

Relevant log output

No response

Please provide system details

OS Distro:
Kernel Version (uname -a): Linux ubuntu 5.15.0-78-generic #85~20.04.1-Ubuntu SMP Mon Jul 17 09:42:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
System ram (free -h):
total used free shared buff/cache available
Mem: 7.7Gi 4.8Gi 546Mi 4.0Mi 2.4Gi 2.6Gi
Swap: 2.0Gi 1.0Mi 2.0Gi

Additional Context

you can download poc file from this link : https://github.com/huanglei3/lrzip-next-poc/tree/main

[pete4abw]

While I normally do not like to deal with files that lrzip-next did not create, this bug was interesting. The macro unlikely(v1) and unlikely(v2) macros did not function as predicted. This fix deals with your issue. We struggled over the years with protecting against bad data and this is one more fix...

diff --git a/src/stream.c b/src/stream.c
index 9d74383..00dd660 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -1491,11 +1491,12 @@ again:
                                print_err("Wrong password?\n");
                        goto failed;
                }
-               if (unlikely(v1)) {
+               /* protect again 0 length c_ and u_ len */
+               if (v1 < 1) {
                        print_err("Unexpected initial c_len %'"PRId64" in streams %'"PRId64"\n", v1, v2);
                        goto failed;
                }
-               if (unlikely(v2)) {
+               if (v2 < 1) {
                        print_err("Unexpected initial u_len %'"PRId64" in streams\n", v2);
                        goto failed;
                }