#221 Null pointer dereference in Squashfs Handler file

[Yu Han]

Hi
It is possible to trigger null pointer dereference problem when extracting squashfs files with p7zip 16.02 on Ubuntu.
Function Narchiver::NSquashfs::CHandler::Open2 in SquashfsHandler.cpp line 1572 calls function AddInReserved. In the example attached, it tries to dereference null pointer to read elements from an array, which causes segmentation error.
The following is the result of running this with address sanitizer:

==11781==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:118 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7f79bfb0cc02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
    #1 0x7f79bfb2b595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
    #2 0x7f79bfb16492  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xf3492)
    #3 0x7f79bfb228a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xff8a5)
    #4 0x7f79bfa4b7fd  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x287fd)
    #5 0x7f79bfb01b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
    #6 0x55e66815ef53 in align_alloc ../../../../C/Alloc.c:61
    #7 0x55e66815ef53 in MyAlloc ../../../../C/Alloc.c:82
    #8 0x55e668274ec2 in operator new[](unsigned long) ../../../../CPP/Common/NewHandler.cpp:23
    #9 0x7f79bb25ea67 in CRecordVector<NArchive::NSquashfs::CNode>::ClearAndReserve(unsigned int) ../../../../CPP/Common/MyVector.h:83
    #10 0x7f79bb25ea67 in NArchive::NSquashfs::CHandler::Open2(IInStream*) ../../../../CPP/7zip/Archive/SquashfsHandler.cpp:1547
    #11 0x7f79bb25fac1 in NArchive::NSquashfs::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/SquashfsHandler.cpp:1683
    #12 0x55e6681fafdf in CArc::OpenStream2(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
    #13 0x55e668203846 in CArc::OpenStream(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
    #14 0x55e668204348 in CArc::OpenStreamOrFile(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
    #15 0x55e668205623 in CArchiveLink::Open(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
    #16 0x55e66820c634 in CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
    #17 0x55e66820ce09 in CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
    #18 0x55e6681cf709 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) ../../../../CPP/7zip/UI/Common/Extract.cpp:362
    #19 0x55e6682598ad in Main2(int, char**) ../../../../CPP/7zip/UI/Console/Main.cpp:923
    #20 0x55e668263ad9 in main ../../../../CPP/7zip/UI/Console/MainAr.cpp:66
    #21 0x7f79bec8fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #22 0x55e66815e4b9 in _start (/home/xxx/Desktop/address_san_test/p7zip_16.02/bin/7z+0x1d4b9)

[Igor Pavlov]

Yes, it was reported before.
I've fixed it for next 7-Zip.
Please change ticket to "private"

[Yu Han]

Hi
I can't find the way to edit a ticket. There is no edit icon like that for a topic in Discussion.
So do u know how to change it to private? Sorry for that.