Buffer overrun when deleting file from archive #106

abbeycode · 2021-03-14T03:28:33Z

The overrun occurs on line 1100 of zip.c when running -[UZKArchive deleteFile:error:]:

size_comment = (uInt)strlen(comment);

You can get the exact stack trace by running the DeleteFileTests unit tests with the Address Sanitizer turned on. It looks like this happens for any file in an archive with no comment, because on line 1464 of UZKArchive it's allocating a zero-length buffer when there's no comment:

char *commentBuffer = (char*)malloc(unzipInfo.size_file_comment);

It should instead make the buffer NULL in that case.

Consider, in order to avoid any future errors like this that Xcode's capable of detecting, making a test plan that runs tests with each of the sanitizers turned on.

The text was updated successfully, but these errors were encountered:

…ility (Issue #106)

Fix #106

abbeycode added the bug label Mar 14, 2021

abbeycode added this to the v2.0 milestone Mar 14, 2021

abbeycode self-assigned this Mar 14, 2021

abbeycode added a commit that referenced this issue Mar 14, 2021

Fixed bug in -deleteFile:error: that causes a buffer overrun vulnerab…

86dd120

…ility (Issue #106)

abbeycode mentioned this issue Mar 14, 2021

Fix #106 #108

Merged

abbeycode added a commit that referenced this issue Mar 14, 2021

Merge pull request #108 from abbeycode/issue-106-buffer-overrun

22ffe84

Fix #106

abbeycode linked a pull request Mar 14, 2021 that will close this issue

Fix #106 #108

Merged

abbeycode closed this as completed Mar 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Buffer overrun when deleting file from archive #106

Buffer overrun when deleting file from archive #106

abbeycode commented Mar 14, 2021

Buffer overrun when deleting file from archive #106

Buffer overrun when deleting file from archive #106

Comments

abbeycode commented Mar 14, 2021