heap-based buffer overflow WRITE in bz3_decode_block()

Question

heap-based buffer overflow WRITE in bz3_decode_block()

asarubbo opened this issue a year ago · comments

By using the code from decompress-file

With:

./decompress_file $FILE

I get:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f6d6ec6c800 at pc 0x0000004a23aa bp 0x7ffe6a63f330 sp 0x7ffe6a63eb00
WRITE of size 3275521 at 0x7f6d6ec6c800 thread T0
    #0 0x4a23a9 in __asan_memcpy /var/tmp/portage/sys-libs/compiler-rt-sanitizers-15.0.7/work/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x7f6d72c49f9d in bz3_decode_block /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:709:23
    #2 0x7f6d72c4e7a6 in bz3_decompress /var/tmp/portage/app-arch/bzip3-1.2.2/work/bzip3-1.2.2/src/libbz3.c:883:9
    #3 0x4dd3ac in main /root/bzip3/fuzz.c:43:17
    #4 0x7f6d7297e1f6 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7f6d7297e2ab in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.36-r7/work/glibc-2.36/csu/../csu/libc-start.c:381:3
    #6 0x41d5c0 in _start (/usr/bin/bzip3_fuzz+0x41d5c0)

Full log and testcase:
bzip3.zip

Kamila Szewczyk · Answer 1 · Wed Mar 22 2023 21:38:49 GMT+0800 (China Standard Time)

Fixed in 33b1951.

Steve Beattie · Answer 2 · Fri Apr 07 2023 15:27:09 GMT+0800 (China Standard Time)

FYI, this issue was assigned CVE-2023-29421.

(I didn't assign the issue, I just noticed it while triaging new CVEs.)