p7zip / Bugs / #238 Invalid read during processing of 7zip archive

#238 Invalid read during processing of 7zip archive

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-05-24

Created: 2022-05-24

Creator: Nico Schiller

Private: No

During extraction of the attached 7zip archive via
/p7zip_16.02/bin/7za e -so -y /testcase

an out-of-bounds read is triggered. This possibly opens up
other attack vectors to an attacker if files from untrusted sources are processed.

For reproduction of the crash, I attach a Docker image. Run ./build_upstream.sh to build the docker image and ./reproduce-upstream.sh to reproduce the crash.
If you need further details, please do not hesitate to ask.

Version
The input was tested on p7zip_16.02

Valgrind

[+] Running /p7zip_16.02/bin/7z e -pPASSWORD -so -y /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /p7zip_16.02/bin/7za e -pPASSWORD -so -y /testcase
==1== 
==1== Invalid read of size 4
==1==    at 0x182124: NArchive::NZip::CInArchive::FindCd(bool) (ZipIn.cpp:1116)
==1==    by 0x18434F: NArchive::NZip::CInArchive::ReadCd(CObjectVector<NArchive::NZip::CItemEx>&, unsigned int&, unsigned long long&, unsigned long long&) (ZipIn.cpp:1267)
==1==    by 0x184729: NArchive::NZip::CInArchive::ReadHeaders2(CObjectVector<NArchive::NZip::CItemEx>&) (ZipIn.cpp:1774)
==1==    by 0x186965: NArchive::NZip::CInArchive::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*, CObjectVector<NArchive::NZip::CItemEx>&) (ZipIn.cpp:2203)
==1==    by 0x1798FA: NArchive::NZip::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) (ZipHandler.cpp:474)
==1==    by 0x1CE6F6: OpenArchiveSpec(IInArchive*, bool, IInStream*, unsigned long long const*, IArchiveOpenCallback*, IArchiveExtractCallback*) (OpenArchive.cpp:1537)
==1==    by 0x1D497C: CArc::OpenStream2(COpenOptions const&) (OpenArchive.cpp:2636)
==1==    by 0x1D577E: CArc::OpenStream(COpenOptions const&) (OpenArchive.cpp:2901)
==1==    by 0x1D5ADE: CArc::OpenStreamOrFile(COpenOptions&) (OpenArchive.cpp:2993)
==1==    by 0x1D61AB: CArchiveLink::Open(COpenOptions&) (OpenArchive.cpp:3169)
==1==    by 0x1D71D4: CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3292)
==1==    by 0x1D7407: CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3356)
==1==  Address 0x4e2d321 is 17 bytes after a block of size 16 in arena "client"
==1== 
ERROR: /testcase
Can not open the file as archive

Unknown error -2147024591
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 0 bytes in 0 blocks
==1==   total heap usage: 1,022 allocs, 1,022 frees, 4,719,933 bytes allocated
==1== 
==1== All heap blocks were freed -- no leaks are possible
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

1 Attachments

reproduce_3.zip

Discussion

aONe - 2022-05-24

This project is mostly defunct. Did you check this in the updated 7z 21.07?
https://7-zip.org/a/7z2107-src.tar.xz

This applies to all your other threads.

Here all the availbable sources:
https://www.7-zip.org/download.html

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Invalid read during processing of 7zip archive

Group

Searches

Help

#238 Invalid read during processing of 7zip archive

Discussion