Re: unzip -t crasher

[Murray McAllister <mmcallis () redhat com>]

On 11/03/2014 05:06 AM, Jakub Wilk wrote:
> Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes
> unzip -t:
>
> $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip
> foo/:  mismatching "local" filename (™/UT),
>          continuing with "central" filename version
> *** Error in `unzip': free(): corrupted unsorted chunks:
> 0x00000000015d0170 ***
>
> I'm not sure if inclusion of said zip file was intentional, but since
> the cat is already out of the bag, I thought I'll let you know.
>
> [0] https://code.google.com/p/american-fuzzy-lop/
> [1] http://lcamtuf.coredump.cx/afl.tgz

Hi,

I had a quick look at unzip-6.0-12.fc20. It did not crash there for me 
but there are invalid reads and an invalid write.

For the invalid write, the problem may manifest here in memextract():

2282             memcpy((char *)tgt, (char *)G.inptr, (extent)G.incnt);

On my system, G.incnt was 52729.

Cheers,

--
Murray McAllister / Red Hat Product Security