Menu

#145 p7zip crashes while moving memory in MoveItems

v1.0 (example)
closed-fixed
my p7zip
crash (2)
5
2015-02-25
2015-02-20
luh
No

On various input files p7zip crashes with a segmentation fault. The stack trace on most of the input files looks like this:

Program received signal SIGSEGV, Segmentation fault.
memmove_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:1284
1284 ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S: No such file or directory.
(gdb) bt
0 memmove_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:1284
1 0x08614c4d in MoveItems (src=12, dest=11, this=<optimized out="">) at ../../../../CPP/Common/MyString.h:325
2 UString::Delete (this=0xbfffe9dc, index=11) at ../../../../CPP/Common/MyString.cpp:1144
3 0x086194ee in MultiByteToUnicodeString (srcString=...) at ../../../../CPP/Common/StringConvert.cpp:145
4 0x0861af27 in MultiByteToUnicodeString2 (dest=..., srcString=..., codePage=0) at ../../../../CPP/Common/StringConvert.cpp:208
5 0xbfffea88 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Attached are all files generated by American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/) which causes a crash.

1 Attachments
crashes-p7zip.zip

Discussion

  • Igor Pavlov

    Igor Pavlov - 2015-02-20

    1) what version of p7zip?
    2) what operation
    7z l file
    or
    7z x file
    ?

     

  • luh

    luh - 2015-02-20

    1) 9.38
    2) l

     

  • Igor Pavlov

    Igor Pavlov - 2015-02-20

    Ok. I suppose it's BUG in p7zip code.
    StringConvert.cpp:
    You must call ReleaseBuffer(numChars)
    before another UString functions, like
    resultString.Delete(i);
    resultString.Insert(i, ((c >> 10) & 0x3ff) + 0xd800);
    resultString.Insert(i + 1, (c & 0x3ff) + 0xdc00);

     

  • my p7zip

    my p7zip - 2015-02-20

    Can you try this fix with your tool :

    CPP/Common/StringConvert.cpp, line 133, function MultiByteToUnicodeString is now : 

    UString MultiByteToUnicodeString(const AString &srcString, UINT /* codePage */ )
{
#ifdef ENV_HAVE_MBSTOWCS
  if ((global_use_utf16_conversion) && (!srcString.IsEmpty()))
  {
    UString resultString;
    int numChars = mbstowcs(resultString.GetBuffer(srcString.Len()),srcString,srcString.Len()+1);
    if (numChars >= 0) {
        resultString.ReleaseBuffer(numChars);  // this line is now here

#if WCHAR_MAX > 0xffff
      for (int i = numChars; i >= 0; i--) {
        if (resultString[i] > 0xffff) {
          wchar_t c = resultString[i] - 0x10000;
          resultString.Delete(i);
          resultString.Insert(i, ((c >> 10) & 0x3ff) + 0xd800);
          resultString.Insert(i + 1, (c & 0x3ff) + 0xdc00);
          numChars++;
        }
      }
#endif
        // before : resultString.ReleaseBuffer(numChars); was here
      return resultString;
    }
  }
#endif

  UString resultString;
  for (int i = 0; i < srcString.Len(); i++)
    resultString += wchar_t(srcString[i] & 255);

  return resultString;
}
     

    Last edit: my p7zip 2015-02-20

  • luh

    luh - 2015-02-23

    It still crashes. Maybe it is a copy error. Could you post a patch-file? This way I can make sure the differences are the same.

     

  • my p7zip

    my p7zip - 2015-02-24

    here is my CPP/Common/StringConvert.cpp

    With this patch, all files in crashes-p7zip.zip don't crash p7zip in ubuntu 14.10 64 bits.

     
    StringConvert.cpp

  • luh

    luh - 2015-02-25

    I can confirm: No crashes anymore with the test files in my 32bit Debian either.

     

    Last edit: luh 2015-02-25

  • my p7zip

    my p7zip - 2015-02-25
    • status: open --> closed-fixed
    • assigned_to: my p7zip
     

  • my p7zip

    my p7zip - 2015-02-25

    this bug is fixed in p7zip 9.38.1

     

Log in to post a comment.