heap-based buffer overflow WRITE in bz3_decode_block()
asarubbo opened this issue · comments
By using the code from decompress-file
With:
./decompress_file $FILE
I get:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6d6ec6c800 at pc 0x0000004a23aa bp 0x7ffe6a63f330 sp 0x7ffe6a63eb00
WRITE of size 3275521 at 0x7f6d6ec6c800 thread T0
#0 0x4a23a9 in __asan_memcpy /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x7f6d72c49f9d in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:709:23
#2 0x7f6d72c4e7a6 in bz3_decompress /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:883:9
#3 0x4dd3ac in main /root/bzip3/fuzz.c:43:17
#4 0x7f6d7297e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f6d7297e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
#6 0x41d5c0 in _start (/usr/bin/bzip3_fuzz+0x41d5c0)
Full log and testcase:
bzip3.zip
Fixed in 33b1951.
FYI, this issue was assigned CVE-2023-29421.
(I didn't assign the issue, I just noticed it while triaging new CVEs.)