Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bounds read when decoding a malformed zlib file #16

Closed
Shnatsel opened this issue Aug 29, 2018 · 6 comments
Closed

Out of bounds read when decoding a malformed zlib file #16

Shnatsel opened this issue Aug 29, 2018 · 6 comments

Comments

@Shnatsel
Copy link
Contributor

Shnatsel commented Aug 29, 2018

libflate performs reads from uninitialized memory when decoding a zlib file when given certain malformed inputs. The accessed address is out of bounds for any buffer allocated by the code.

This may pose a security vulnerability; I am still investigating the actual impact of this bug. Examples of similar vulnerabilities in C code and discussion of the potential impact can be found here.

This issue has been discovered using afl.rs and Address Sanitizer. I shall relay further details on the issue to the maintainer privately by email.

@Shnatsel
Copy link
Contributor Author

Shnatsel commented Aug 30, 2018

This does not seem to pose a security issue after all; at least, I couldn't get uninitialized memory contents to influence the output. It can crash though, so this is still an opportunity for denial of service.

@sile
Copy link
Owner

sile commented Sep 1, 2018

Thank you for your information.
I will confirm the detail within a few weeks.

@Shnatsel
Copy link
Contributor Author

It has been three weeks since the report. Any updates?

sile added a commit that referenced this issue Sep 24, 2018
@sile
Copy link
Owner

sile commented Sep 24, 2018

Sorry for the late reply.
I fixed the bug at the commit e263e83.

@Shnatsel
Copy link
Contributor Author

Thank you!

Now that this issue is fixed, I'm attaching the full details below.

Steps to reproduce the issue:

git clone https://github.com/Shnatsel/libflate-repr
cd libflate-repr
export ASAN_OPTIONS=detect_odr_violation=0
RUSTFLAGS="-Z sanitizer=address" cargo +nightly build
target/debug/zlib < /path/to/malformed/input

The cargo.toml in inflate_repr repository points to my own fork of libflate, so this issue should remain reproducible in this setup even after the fix.

The inputs triggering the bug can be obtained from https://github.com/sile/libflate/tree/master/data/issues_16

@sile
Copy link
Owner

sile commented Sep 24, 2018

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants