Bug#779158: bsdtar: buffer overflow

[Jakub Wilk]

Package: bsdtar
Version: 3.1.2-10
Usertags: afl

bsdtar crashes on the attached file:

$ bsdtar tf crash
Segmentation fault


Valgrind says it's a buffer overflow:

==1866== Invalid write of size 1
==1866==    at 0x80ACC0D: next_code (archive_read_support_filter_compress.c:386)
==1866==    by 0x80AD780: compress_filter_read 
(archive_read_support_filter_compress.c:287)
==1866==    by 0x809134A: __archive_read_filter_ahead (archive_read.c:1275)
==1866==    by 0x80AAC78: bzip2_reader_bid 
(archive_read_support_filter_bzip2.c:134)
==1866==    by 0x808B65A: choose_filters (archive_read.c:562)
==1866==    by 0x808B65A: archive_read_open1 (archive_read.c:506)
==1866==    by 0x80A7F68: archive_read_open_filename 
(archive_read_open_filename.c:107)
==1866==    by 0x8053E33: read_archive (read.c:204)
==1866==    by 0x80558EB: tar_mode_t (read.c:86)
==1866==    by 0x804F408: main (bsdtar.c:798)
==1866==  Address 0x6283fec is 0 bytes after a block of size 261,980 alloc'd
==1866==    at 0x402B0D5: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1866==    by 0x80ACF28: compress_bidder_init 
(archive_read_support_filter_compress.c:219)
==1866==    by 0x808BDD3: choose_filters (archive_read.c:592)
==1866==    by 0x808BDD3: archive_read_open1 (archive_read.c:506)
==1866==    by 0x80A7F68: archive_read_open_filename 
(archive_read_open_filename.c:107)
==1866==    by 0x8053E33: read_archive (read.c:204)
==1866==    by 0x80558EB: tar_mode_t (read.c:86)
==1866==    by 0x804F408: main (bsdtar.c:798)
==1866==

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages bsdtar depends on:
ii  libacl1       2.2.52-2
ii  libarchive13  3.1.2-10
ii  libattr1      1:2.4.47-2
ii  libbz2-1.0    1.0.6-7+b2
ii  libc6         2.19-15
ii  liblzma5      5.1.1alpha+20120614-2+b3
ii  liblzo2-2     2.08-1.2
ii  libnettle4    2.7.1-5
ii  libxml2       2.9.2+dfsg1-3
ii  zlib1g        1:1.2.8.dfsg-2+b1

--
Jakub Wilk

crash
Description: Binary data