List Archive

Thread

Thread Index

Message

From: Hanno Böck <hanno%hboeck.de@localhost>
To: libzip-discuss%nih.at@localhost
Subject: [patch] fix use after free in ziptool / cat
Date: Tue, 18 Oct 2016 13:22:43 +0200

Hi,

Attached is a malformed zip file that will expose a use after free bug
in ziptool's cat functionality. Test with "ziptool [file] cat 0" (you
may need to use a memory safety tool like address sanitizer to see this
bug).

The problem is that zip_fclose is called on the file handler zf and then
zip_file_strerror is called on zf after that. Switching the zip_fclose
and the error message command should fix that, see attached patch.

This bug was found with the tool american fuzzy lop. Please note that
it only affects the command line tool ziptool, not the libzip library
itself.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno%hboeck.de@localhost
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--- a/src/ziptool.c     2016-10-07 12:13:42.000000000 +0200
+++ b/src/ziptool.c     2016-10-18 13:14:02.456389999 +0200
@@ -208,8 +208,8 @@
        }
     }
     if (n == -1) {
-       zip_fclose(zf);
        fprintf(stderr, "can't read file at index '%" PRIu64 "': %s\n", idx, 
zip_file_strerror(zf));
+       zip_fclose(zf);
        return -1;
     }
     if ((err = zip_fclose(zf)) != 0) {

Attachment: libzip-ziptool-use-after-free.zip
Description: Zip archive

Attachment: pgp6t0UuX6xEp.pgp
Description: OpenPGP digital signature

Made by MHonArc.