Bug#875960: libarchive13: out-of-bounds read in lha_read_data_none()

Sat, 16 Sep 2017 08:09:45 -0700 

Package: libarchive13
Version: 3.2.2-3.1

bsdtar crashes on the attached LHA file:

  $ bsdtar -xOf oob.lha
  Segmentation fault

Valgrind says it's an out-of-bounds read when computing CRC:

  Invalid read of size 2
     at 0x4894AA6: lha_crc16.part.6 (archive_read_support_format_lha.c:1739)
     by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
     by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
     by 0x4897727: archive_read_format_lha_read_data 
(archive_read_support_format_lha.c:1390)
     by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
     by 0x10D5BB: read_archive (read.c:369)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)
   Address 0x6ca56ce is 6 bytes after a block of size 65,536 alloc'd
     at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x487ABEC: file_open (archive_read_open_filename.c:358)
     by 0x4874DE9: archive_read_open1 (archive_read.c:479)
     by 0x487B0F6: archive_read_open_filenames 
(archive_read_open_filename.c:152)
     by 0x487B18C: archive_read_open_filename (archive_read_open_filename.c:109)
     by 0x10D321: read_archive (read.c:223)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)

  Process terminating with default action of signal 11 (SIGSEGV)
   Access not within mapped region at address 0x73B4000
     at 0x4894ABC: lha_crc16.part.6 (archive_read_support_format_lha.c:1740)
     by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
     by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
     by 0x4897727: archive_read_format_lha_read_data 
(archive_read_support_format_lha.c:1390)
     by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
     by 0x10D5BB: read_archive (read.c:369)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libarchive13 depends on:
ii  libacl1     2.2.52-3+b1
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-17
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.3
ii  liblzo2-2   2.08-1.2+b2
ii  libnettle6  3.3-2
ii  libxml2     2.9.4+dfsg1-4
ii  zlib1g      1:1.2.8.dfsg-5

--
Jakub Wilk

Attachment: oob.lha
Description: application/lha

Reply via email to