Heap-buffer-overflow in function __zzip_parse_root_directory() at zzip/zip.c:544

[zhuvensi]

Describe：

A heap-buffer-overflow was discovered in zziplib. The issue is being triggered in function __zzip_parse_root_directory() at zzip/zip.c:544

Reproduce:

Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:

AFL_USE_ASAN=1 CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..

Then the poc is inputed:
/home/zziplib/build/bins/unzzip -p /home/zziplib/build/fuzz_out2/default/crashes/id\:000001\,sig\:06\,src\:000122\,time\:3482830\,execs\:1125075\,op\:havoc\,rep\:5

ASAN Reports:

==2520704==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005b at pc 0x7f1e5b5a6f48 bp 0x7ffd4dd28fb0 sp 0x7ffd4dd28fa8
READ of size 8 at 0x60300000005b thread T0
    #0 0x7f1e5b5a6f47 in __zzip_parse_root_directory /home/zziplib/zzip/zip.c:544:32
    #1 0x7f1e5b5a6f47 in __zzip_dir_parse /home/zziplib/zzip/zip.c:792:15
    #2 0x7f1e5b5a6f47 in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:744:15
    #3 0x7f1e5b5a7624 in zzip_dir_open_ext_io /home/zziplib/zzip/zip.c:865:16
    #4 0x556bc4a40b51 in unzzip_cat /home/zziplib/bins/unzzipcat-zip.c:74:12
    #5 0x7f1e5b24cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #6 0x7f1e5b24ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #7 0x556bc496b444 in _start (/home/zziplib/build/bins/unzzip+0x20444) (BuildId: 51480054c521707abc39c358c3a230320af010e2)

0x60300000005b is located 3 bytes after 24-byte region [0x603000000040,0x603000000058)
allocated by thread T0 here:
    #0 0x556bc4a0526e in __interceptor_malloc (/home/zziplib/build/bins/unzzip+0xba26e) (BuildId: 51480054c521707abc39c358c3a230320af010e2)
    #1 0x7f1e5b5a5fc5 in __zzip_parse_root_directory /home/zziplib/zzip/zip.c:536:30
    #2 0x7f1e5b5a5fc5 in __zzip_dir_parse /home/zziplib/zzip/zip.c:792:15
    #3 0x7f1e5b5a5fc5 in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:744:15
    #4 0x7f1e5b5a7624 in zzip_dir_open_ext_io /home/zziplib/zzip/zip.c:865:16
    #5 0x556bc4a40b51 in unzzip_cat /home/zziplib/bins/unzzipcat-zip.c:74:12
    #6 0x7f1e5b24cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zziplib/zzip/zip.c:544:32 in __zzip_parse_root_directory
Shadow bytes around the buggy address:
  0x602ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x602ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x602ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x602fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x602fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x603000000000: fa fa 00 00 00 fa fa fa 00 00 00[fa]fa fa fa fa
  0x603000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x603000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x603000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x603000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x603000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2520704==ABORTING

and this is the code at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.

[gdraheim]

probably fixed in v0.13.78