-
Notifications
You must be signed in to change notification settings - Fork 204
Integer overflow with header_start += archive_offset when reading file with malformed header #234
Comments
The good news is that this issue could never affect any real archive 😄 The fuzzer's done a good job working through the library here. (It's also highlighted a few other minor bugs that I should fix, thankyou!) This specific crash occurs when a central directory record contains an (implausibly) large zip64 local header offset. The fix is simply adding https://github.com/zip-rs/zip/blob/3fd44ffd5da55c8d4c60b3a27a3156ce872a3caf/src/read.rs#L610 I'll minimize the test and add the fix for this soon |
I'll open a PR to add the fuzzer to the repo when I get off work, it does come in handy for finding issues. It can't affect any legitimate archives, but it can cause panics in services that receive untrusted archives and then tries to extract them (which probably isn't all that uncommon), which would be a denial of service (if the panic isn't caught and ignored, or they use panic=abort). |
Yes absolutely~ Fixing this is a high priority, I'm just happy that it isn't (a symptom of) anything more severe. I'm actually going to be following up on google/oss-fuzz#5400 in the next few days, which would have give much more resources to the fuzzing than I could otherwise. It'd be great to see the harness you used to catch this 😊 |
It was just #![no_main]
use libfuzzer_sys::fuzz_target;
fuzz_target!(|data: &[u8]| {
let reader = std::io::Cursor::new(data);
let mut archive = if let Ok(x) = zip::ZipArchive::new(reader) {
x
} else {
return;
};
for i in 0..archive.len() {
use std::io::prelude::*;
if let Ok(file) = archive.by_index(i) {
for b in file.bytes() {
if b.is_err() {
return;
}
}
}
}
}); Pretty basic, but also quite similar to the harness they showed. |
Ace, thankyou :) |
@5225225 Could you please check that the issue is still reproducible with the latest |
Confirmed that the issue still exists in the library. Working on the fix. |
Fix is here: #259 |
#259 is merged so I think the issue can be closed. |
Found through fuzzing.
Reproduction program (sorry for the large blob of bytes, I don't really understand the zip format enough to cut it down):
backtrace:
The text was updated successfully, but these errors were encountered: