[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
|
From: |
Zephyr official |
|
Subject: |
bug#78639: Uninitialised read in check_zipfile() (gzip 1.14) |
|
Date: |
Fri, 30 May 2025 14:16:03 +0100 |
Hi Paul,
Thanks for the patch and for looking into this.
I've been digging a bit further into the interaction. Your patch `c5e7899`
tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within
`check_zipfile()`, but there appears to be an uninitialized read of
inbuf[3] during the initial PKZIP magic number check in
`gzip.c:get_method()` also.
This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap)
and `insize` is precisely 3 due to a short input like PK\x03. The
memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method() will access inbuf[3]
before check_zipfile() is even invoked for that path.
This can be demonstrated with:
printf "\x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_ALLOC and your patch c5e7899
valgrind --track-origins=yes ./gzip -tv trigger.dat
Best regards,
Mohamed Maatallah
On Fri, May 30, 2025 at 7:10 AM Paul Eggert <eggert@cs.ucla.edu> wrote:
> Thanks for the bug report and proposed fix. I installed the attached,
> which should fix the gzip bug in a different way.
>
> I think the bug is innocuous in practice, but it's good to fix it anyway
> as these things tend to mushroom.