#2217 Null pointer dereference in HfsHandler file (p7zip)

[Yu Han]

Hi

I found this with several file formats and this example is a macho file. I think this is reproducible only on Linux with p7zip 16.02 but please double check it on Windows if you have time.
It is null pointer dereference in Parse function in HfsHandler. Inputs of other file formats, like cramfs, ext and hfs, also can cause this problem. It seems that p7zip mistakenly recognized some file formats as hfs and ran hfs handler file.

Here is the result of address sanitizer:

==1981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f4479478caf bp 0x60f000000600 sp 0x7ffc16437690 T0)
==1981==The signal is caused by a READ memory access.
==1981==Hint: address points to the zero page.
    #0 0x7f4479478cae in NArchive::NHfs::CHeaderRec::Parse(unsigned char const*) ../../../../CPP/7zip/Archive/HfsHandler.cpp:508
    #1 0x7f44794809e5 in NArchive::NHfs::CDatabase::LoadCatalog(NArchive::NHfs::CFork const&, CObjectVector<NArchive::NHfs::CIdExtents> const*, IInStream*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/HfsHandler.cpp:879
    #2 0x7f4479484b8f in NArchive::NHfs::CDatabase::Open2(IInStream*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/HfsHandler.cpp:1263
    #3 0x7f4479484e56 in NArchive::NHfs::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/HfsHandler.cpp:1483
    #4 0x56237ff69753 in OpenArchiveSpec ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1537
    #5 0x56237ff801f0 in CArc::OpenStream2(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2636
    #6 0x56237ff82846 in CArc::OpenStream(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
    #7 0x56237ff83348 in CArc::OpenStreamOrFile(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
    #8 0x56237ff84623 in CArchiveLink::Open(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
    #9 0x56237ff8b634 in CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
    #10 0x56237ff8be09 in CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
    #11 0x56237ff4e709 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) ../../../../CPP/7zip/UI/Common/Extract.cpp:362
    #12 0x56237ffd88ad in Main2(int, char**) ../../../../CPP/7zip/UI/Console/Main.cpp:923
    #13 0x56237ffe2ad9 in main ../../../../CPP/7zip/UI/Console/MainAr.cpp:66
    #14 0x7f447cf62b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x56237fedd4b9 in _start (/home/xxx/Desktop/address_san_test/p7zip_16.02/bin/7z+0x1d4b9)

[Igor Pavlov]

That bug was already fixed in latest 7-Zip 19.00.

[Yu Han]

Will you make this ticket public? And other private tickets that are only applicable to p7zip.
I am wondering if there is any method to notify the maintainer of p7zip.
Since this ticket is private here, maintainer of p7zip and Ubuntu can't see this bug, right?

[Igor Pavlov]

p7zip maintainer is not active now.
So I don't know any way to ask him to update anything in p7zip.