oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Buffer Overflow in lha compression utility

From: Paris Zoumpouloglou <pariszoump () gmail com>
Date: Mon, 18 Jan 2016 11:17:53 +0200
== Overview ==
LHA for UNIX (https://osdn.jp/projects/lha/) is an open source
implementation of the LHA compression utility and associated file format.

== Version ==
All tests were performed using the latest 20b6ba8 commit of the master
branch from https://osdn.jp/projects/lha/scm/git/lha/

== Details ==
Using the afl fuzzer, two cases which triggered a buffer overflow where
discovered. The problem existed in header.c:797-800 and header.c:913-916
while parsing level0 and level1 headers accordingly.

=797-800=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }

=913-916=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }


The header_size variable is determined from the first byte of the lha
archive header, which is read by the get_byte function. The returned
value is used in:

header_size + 2 - COMMON_HEADER_SIZE

to determine the elements' size used in fread() .

If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 -
21) = 19 then the size parameter is overflowed and a buffer overflow
occurs in fread.

== Timeline ==
2016-01-13 - Bug report submitted
2016-01-16 - Bug fix pushed to master (commit bf2471f)
Previous By Date Next
Previous By Thread Next

Current thread: