oss-sec mailing list archives
Re: unzip -t crasher
From: Murray McAllister <mmcallis () redhat com>
Date: Mon, 03 Nov 2014 14:37:04 +1100
On 11/03/2014 05:06 AM, Jakub Wilk wrote:
Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes unzip -t: $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip foo/: mismatching "local" filename (™/UT), continuing with "central" filename version *** Error in `unzip': free(): corrupted unsorted chunks: 0x00000000015d0170 *** I'm not sure if inclusion of said zip file was intentional, but since the cat is already out of the bag, I thought I'll let you know. [0] https://code.google.com/p/american-fuzzy-lop/ [1] http://lcamtuf.coredump.cx/afl.tgz
Hi,I had a quick look at unzip-6.0-12.fc20. It did not crash there for me but there are invalid reads and an invalid write.
For the invalid write, the problem may manifest here in memextract(): 2282 memcpy((char *)tgt, (char *)G.inptr, (extent)G.incnt); On my system, G.incnt was 52729. Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- unzip -t crasher Jakub Wilk (Nov 02)
- Re: unzip -t crasher Dave Horsfall (Nov 02)
- Re: unzip -t crasher Murray McAllister (Nov 02)
- Re: unzip -t crasher mancha (Nov 02)
- Re: unzip -t crasher mancha (Nov 03)
- Re: unzip -t crasher mancha (Nov 03)
- Re: unzip -t crasher mancha (Nov 03)