Bug 197017

Summary:

segfault in unzip (libarchive) with malformed zip

Product:

Base System

Reporter:

Jeff <freebsd>

Component:

bin

Assignee:

Martin Matuska <mm>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

des, emaste, junovitch

Priority:

---

Keywords:

patch

Version:

10.1-RELEASE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
zip that causes unzip to segfault	none

Description Jeff 2015-01-23 04:07:21 UTC

Created attachment 152045 [details]
zip that causes unzip to segfault

Running afl-fuzz on unzip I've run into the following -

0x00000008008877e8 in process_extra (p=0x802041022 "UT\t", extra_length=28, zip_entry=0x802055020) at /usr/src/lib/libarchive/../../contrib/libarchive/libarchive/archive_read_support_format_zip.c:1716
1716                                            gidsize = p[offset+2+uidsize];
Current language:  auto; currently minimal
(gdb) p offset
$1 = 17
(gdb) p uidsize
$2 = -124


% zipdetails out/crashes/id:000000,sig:11,src:000000,op:flip1,pos:52 

0000 LOCAL HEADER #1       04034B50
0004 Extract Zip Spec      0A '1.0'
0005 Extract OS            00 'MS-DOS'
0006 General Purpose Flag  0000
0008 Compression Method    0000 'Stored'
000A Last Mod Time         463718E0 'Fri Jan 23 03:07:00 2015'
000E CRC                   72051312
0012 Compressed Length     0000000F
0016 Uncompressed Length   0000000F
001A Filename Length       0004
001C Extra Length          001C
001E Filename              'test'
0022 Extra ID #0001        5455 'UT: Extended Timestamp'
0024   Length              0009
0026   Flags               '03 mod access'
0027   Mod Time            54C1BAD4 'Fri Jan 23 03:07:00 2015'
002B   Access Time         54C1BAD4 'Fri Jan 23 03:07:00 2015'
002F Extra ID #0002        7875 'ux: Unix Extra Type 3'
0031   Length              000B
0033   Version             01
0034   UID Size            84
Truncated file (got 120, wanted 132):

Comment 1 Dag-Erling Smørgrav freebsd_committer

2015-10-09 13:07:35 UTC

This is an issue in libarchive, see https://github.com/libarchive/libarchive

Comment 2 Jason Unovitch freebsd_committer

2016-02-28 20:56:58 UTC

Jeff,
Has this been reported upstream yet?  It looks like libarchive 3.2 with the fixes is due out in mid-March and getting this reported to them so it's in the release would be great for all downstream libarchive users.  Thanks!
https://github.com/libarchive/libarchive/issues/610

Comment 3 Jeff 2016-05-14 14:17:10 UTC

This was fixed upstream
https://github.com/libarchive/libarchive/commit/9e0689cff30f64defb2691003143a7ad3126c74a

Comment 4 Jason Unovitch freebsd_committer

2016-07-03 22:23:21 UTC

(In reply to Jeff from comment #3)
That upstream commit would have been fixed as of https://svnweb.FreeBSD.org/changeset/base/299529.  Assign to committer that resolved for review and closure.