#239 Invalid read during processing of 7zip archive

[Nico Schiller]

During extraction of the attached 7zip archive via
/p7zip_16.02/bin/7za e -so -y /testcase

an out-of-bounds read is triggered. This possibly opens up other attack vectors to an attacker if files from untrusted sources are processed.

For reproduction of the crash, I attach a Docker image. Run ./build_upstream.sh to build the docker image and ./reproduce-upstream.sh to reproduce the crash.
If you need further details, please do not hesitate to ask.

Version
The input was tested on p7zip_16.02

Valgrind

[+] Running /p7zip_16.02/bin/7za e -so -y /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /p7zip_16.02/bin/7za e -so -y /testcase
==1== 
==1== Invalid read of size 1
==1==    at 0x144256: NArchive::N7z::CHandler::IsFolderEncrypted(unsigned int) const (7zHandler.cpp:273)
==1==    by 0x144AA2: NArchive::N7z::CHandler::GetProperty(unsigned int, unsigned int, tagPROPVARIANT*) (7zHandler.cpp:580)
==1==    by 0x1CF9F0: Archive_GetItemBoolProp(IInArchive*, unsigned int, unsigned int, bool&) (OpenArchive.cpp:452)
==1==    by 0x1BADEE: CArchiveExtractCallback::GetStream(unsigned int, ISequentialOutStream**, int) (ArchiveExtractCallback.cpp:788)
==1==    by 0x141D43: NArchive::N7z::CFolderOutStream::OpenFile(bool) (7zExtract.cpp:93)
==1==    by 0x14215E: NArchive::N7z::CFolderOutStream::FlushCorrupted(int) (7zExtract.cpp:205)
==1==    by 0x142704: NArchive::N7z::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) (7zExtract.cpp:376)
==1==    by 0x1C9E78: DecompressArchive (Extract.cpp:208)
==1==    by 0x1C9E78: Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) (Extract.cpp:445)
==1==    by 0x1EDF43: Main2(int, char**) (Main.cpp:923)
==1==    by 0x1F141A: main (MainAr.cpp:66)
==1==  Address 0x4e0c944 is 0 bytes after a block of size 20 alloc'd
==1==    at 0x483C583: operator new[](unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1==    by 0x14AB41: Alloc (MyBuffer.h:50)
==1==    by 0x14AB41: CopyFrom (MyBuffer.h:68)
==1==    by 0x14AB41: NArchive::N7z::CInArchive::ReadUnpackInfo(CObjectVector<CBuffer<unsigned char> > const*, NArchive::N7z::CFolders&) (7zIn.cpp:776)
==1==    by 0x14B42A: NArchive::N7z::CInArchive::ReadStreamsInfo(CObjectVector<CBuffer<unsigned char> > const*, unsigned long long&, NArchive::N7z::CFolders&, CRecordVector<unsigned long long>&, NArchive::N7z::CUInt32DefVector&) (7zIn.cpp:958)
==1==    by 0x14BF87: NArchive::N7z::CInArchive::ReadHeader(NArchive::N7z::CDbEx&, ICryptoGetTextPassword*, bool&, bool&, UString&) (7zIn.cpp:1139)
==1==    by 0x14D38F: NArchive::N7z::CInArchive::ReadDatabase2(NArchive::N7z::CDbEx&, ICryptoGetTextPassword*, bool&, bool&, UString&) (7zIn.cpp:1603)
==1==    by 0x14D45C: NArchive::N7z::CInArchive::ReadDatabase(NArchive::N7z::CDbEx&, ICryptoGetTextPassword*, bool&, bool&, UString&) (7zIn.cpp:1618)
==1==    by 0x143BD5: NArchive::N7z::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) (7zHandler.cpp:670)
==1==    by 0x1CE6F6: OpenArchiveSpec(IInArchive*, bool, IInStream*, unsigned long long const*, IArchiveOpenCallback*, IArchiveExtractCallback*) (OpenArchive.cpp:1537)
==1==    by 0x1D37AA: CArc::OpenStream2(COpenOptions const&) (OpenArchive.cpp:2143)
==1==    by 0x1D577E: CArc::OpenStream(COpenOptions const&) (OpenArchive.cpp:2901)
==1==    by 0x1D5ADE: CArc::OpenStreamOrFile(COpenOptions&) (OpenArchive.cpp:2993)
==1==    by 0x1D61AB: CArchiveLink::Open(COpenOptions&) (OpenArchive.cpp:3169)
==1== 
ERROR: Unsupported Method : testcase~
==1== 
==1== HEAP SUMMARY:
==1==     in use at exit: 0 bytes in 0 blocks
==1==   total heap usage: 1,061 allocs, 1,061 frees, 296,126 bytes allocated
==1== 
==1== All heap blocks were freed -- no leaks are possible
==1== 
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0)