oss-sec mailing list archives
Re: unzip -t crasher
From: mancha <mancha1 () zoho com>
Date: Mon, 3 Nov 2014 07:42:06 +0000
On Sun, Nov 02, 2014 at 07:06:40PM +0100, Jakub Wilk wrote:
Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes unzip -t: $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip foo/: mismatching "local" filename (/UT), continuing with "central" filename version *** Error in `unzip': free(): corrupted unsorted chunks: 0x00000000015d0170 *** I'm not sure if inclusion of said zip file was intentional, but since the cat is already out of the bag, I thought I'll let you know.
Cats shouldn't be in bags, anyways. The crasher has an OS/2 extra field that claims to have a compressed block size of 52735 bytes and an uncompressed block size of 127 bytes. The attached patch against UnZip 6.0 ensures, within extra fields, size(compressed) <= size(uncompressed) and should fix this issue. --mancha PS If the attachment gets mangled, it's also at: http://sf.net/projects/mancha/files/sec/unzip-6.0_overflow.diff
Attachment:
unzip-6.0_overflow.diff
Description:
Attachment:
_bin
Description:
Current thread:
- unzip -t crasher Jakub Wilk (Nov 02)
- Re: unzip -t crasher Dave Horsfall (Nov 02)
- Re: unzip -t crasher Murray McAllister (Nov 02)
- Re: unzip -t crasher mancha (Nov 02)
- Re: unzip -t crasher mancha (Nov 03)
- Re: unzip -t crasher mancha (Nov 03)
- Re: unzip -t crasher mancha (Nov 03)