#241 Heap-buffer-overflow in ZipIn.cpp:1116

[Peng Deng]

Description

Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)

Verison

$ ./7za   
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

Replay

./7za t poc.zip

POC

https://github.com/17ssDP/fuzzer_crashes/raw/main/zip/poc.zip

ASAN

$ ./7za t poc.zip 

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

Scanning the drive for archives:
1 file, 4340 bytes (5 KiB)

Testing archive: poc.zip
=================================================================
==65213==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000000ff at pc 0x55b8f9dd0731 bp 0x7ffd13599890 sp 0x7ffd13599880
READ of size 4 at 0x6210000000ff thread T0
    #0 0x55b8f9dd0730 in NArchive::NZip::CInArchive::FindCd(bool) ../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116
    #1 0x55b8f9dd5f00 in NArchive::NZip::CInArchive::ReadVols() ../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1578
    #2 0x55b8f9e01d9b in NArchive::NZip::CInArchive::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*, CObjectVector<NArchive::NZip::CItemEx>&) ../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:2135
    #3 0x55b8f9d4c294 in NArchive::NZip::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/Zip/ZipHandler.cpp:474
    #4 0x55b8fa46890b in CArc::OpenStream2(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
    #5 0x55b8fa47fb6a in CArc::OpenStream(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
    #6 0x55b8fa481451 in CArc::OpenStreamOrFile(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
    #7 0x55b8fa48437a in CArchiveLink::Open(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
    #8 0x55b8fa48ccf5 in CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
    #9 0x55b8fa48f2a5 in CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
    #10 0x55b8fa409e7e in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) ../../../../CPP/7zip/UI/Common/Extract.cpp:362
    #11 0x55b8fa5cc0b6 in Main2(int, char**) ../../../../CPP/7zip/UI/Console/Main.cpp:923
    #12 0x55b8f9819ef8 in main ../../../../CPP/7zip/UI/Console/MainAr.cpp:66
    #13 0x7fa675178c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #14 0x55b8f981c069 in _start (/home/p7zip/7za+0x41069)

0x6210000000ff is located 1 bytes to the left of 4340-byte region [0x621000000100,0x6210000011f4)
allocated by thread T0 here:
    #0 0x7fa675e6c608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
    #1 0x55b8f9dce590 in CObjArray<unsigned char>::CObjArray(unsigned long) ../../../../CPP/7zip/Archive/Zip/../../../Common/MyBuffer.h:141
    #2 0x55b8f9dce590 in NArchive::NZip::CInArchive::FindCd(bool) ../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1066

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)
Shadow bytes around the buggy address:
  0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==65213==ABORTING

Environment

Ubuntu 18.04
gcc 7.5.0

[Yonghang]

is there any update on this CVE?

[Sam Tansy]

7zip has Linux version now, (v23) and seems to manage that thing well. P7zip 17.xx is somewhat maintained here.

[Danilo Spinella]

Hello, is there any update on this CVE? Even though 7zip is now available on Linux, many people still uses p7zip so a fix would be helpful...

[Sérgio M. Basto]

fro reference this is CVE-2023-1576 p7zip: Heap buffer overflow in ZipIn.cpp

[jiahao.li]

This PoC is invalid. Firstly, it involves the incorrect use of CLI, and secondly, it cannot be reproduced. It should not be considered a CVE vulnerability.