List Archive
Thread
-
[patch] fix use after free in ziptool / cat,
Hanno Böck
(2016/10/18 11:27:45)
- Re: [patch] fix use after free in ziptool / cat, Thomas Klausner (2016/10/18 11:32:36)
Message
Hi, Attached is a malformed zip file that will expose a use after free bug in ziptool's cat functionality. Test with "ziptool [file] cat 0" (you may need to use a memory safety tool like address sanitizer to see this bug). The problem is that zip_fclose is called on the file handler zf and then zip_file_strerror is called on zf after that. Switching the zip_fclose and the error message command should fix that, see attached patch. This bug was found with the tool american fuzzy lop. Please note that it only affects the command line tool ziptool, not the libzip library itself. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno%hboeck.de@localhost GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--- a/src/ziptool.c 2016-10-07 12:13:42.000000000 +0200 +++ b/src/ziptool.c 2016-10-18 13:14:02.456389999 +0200 @@ -208,8 +208,8 @@ } } if (n == -1) { - zip_fclose(zf); fprintf(stderr, "can't read file at index '%" PRIu64 "': %s\n", idx, zip_file_strerror(zf)); + zip_fclose(zf); return -1; } if ((err = zip_fclose(zf)) != 0) {
Attachment:
libzip-ziptool-use-after-free.zip
Description: Zip archive
Attachment:
pgp6t0UuX6xEp.pgp
Description: OpenPGP digital signature
Made by MHonArc.