DoS in bsdunzip
adoxalim opened this issue · comments
Steps to reproduce
./bsdunzip -l zip.zipwill stop after the first name../bsdunzip zip.zipwill returnZIP decompression failed (-3),./bsdunzip zip.zipsecond time, it will ask change file, onlyAwill returnZIP decompression failed (-3)
test case
lldb outputs:
Process 27037 launched: '/usr/local/bin/bsdunzip' (arm64)
Archive: Downloads/zip.zip
Length Date Time Name
-------- ---- ---- ----
245 09-30-23 21:53 csv.py
Process 27037 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x000000019bef7ad8 libsystem_kernel.dylib`__lseek + 8
libsystem_kernel.dylib`:
-> 0x19bef7ad8 <+8>: b.lo 0x19bef7af8 ; <+40>
0x19bef7adc <+12>: pacibsp
0x19bef7ae0 <+16>: stp x29, x30, [sp, #-0x10]!
0x19bef7ae4 <+20>: mov x29, sp
Target 0: (bsdunzip) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
* frame #0: 0x000000019bef7ad8 libsystem_kernel.dylib`__lseek + 8
frame #1: 0x0000000100013294 bsdunzip`file_skip_lseek + 52
frame #2: 0x0000000100013080 bsdunzip`file_skip + 72
frame #3: 0x0000000100012218 bsdunzip`client_skip_proxy + 208
frame #4: 0x0000000100010a8c bsdunzip`advance_file_pointer + 496
frame #5: 0x0000000100010810 bsdunzip`__archive_read_filter_consume + 92
frame #6: 0x00000001000107a8 bsdunzip`__archive_read_consume + 36
frame #7: 0x00000001000148f0 bsdunzip`archive_read_format_zip_read_data_skip_streamable + 204
frame #8: 0x000000010000fcc0 bsdunzip`archive_read_data_skip + 144
frame #9: 0x0000000100004e44 bsdunzip`list + 444
frame #10: 0x00000001000046a0 bsdunzip`unzip + 924
frame #11: 0x0000000100003b9c bsdunzip`main + 1056
frame #12: 0x000000019bbae0e0 dyld`start + 2360```