oss-sec mailing list archives
Buffer Overflow in lha compression utility
From: Paris Zoumpouloglou <pariszoump () gmail com>
Date: Mon, 18 Jan 2016 11:17:53 +0200
== Overview == LHA for UNIX (https://osdn.jp/projects/lha/) is an open source implementation of the LHA compression utility and associated file format. == Version == All tests were performed using the latest 20b6ba8 commit of the master branch from https://osdn.jp/projects/lha/scm/git/lha/ == Details == Using the afl fuzzer, two cases which triggered a buffer overflow where discovered. The problem existed in header.c:797-800 and header.c:913-916 while parsing level0 and level1 headers accordingly. =797-800= hdr->header_size = header_size = get_byte(); checksum = get_byte(); if (fread(data + COMMON_HEADER_SIZE, header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) { error("Invalid header (LHarc file ?)"); return FALSE; /* finish */ } =913-916= hdr->header_size = header_size = get_byte(); checksum = get_byte(); if (fread(data + COMMON_HEADER_SIZE, header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) { error("Invalid header (LHarc file ?)"); return FALSE; /* finish */ } The header_size variable is determined from the first byte of the lha archive header, which is read by the get_byte function. The returned value is used in: header_size + 2 - COMMON_HEADER_SIZE to determine the elements' size used in fread() . If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 - 21) = 19 then the size parameter is overflowed and a buffer overflow occurs in fread. == Timeline == 2016-01-13 - Bug report submitted 2016-01-16 - Bug fix pushed to master (commit bf2471f)
Current thread:
- Buffer Overflow in lha compression utility Paris Zoumpouloglou (Jan 18)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: an out of bound read is found in libdwarf -20151114 cve-assign (Jan 28)
- a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 26)
- Re: a bug in gif2rgb.c in giflib-5.1.2 cve-assign (Jan 26)
- Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 28)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)