Headline
CVE-2022-0529: Heap out-of-bound writes and reads during conversion of wide string to local string
A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Comment 1 Sandipan Roy 2022-02-07 08:07:37 UTC
Created unzip tracking bugs for this issue:
Affects: fedora-all [bug 2051403]
Comment 6 Salvatore Bonaccorso 2022-02-12 10:11:13 UTC
Hi,
The referenced bug is not accessible, can you share details on this CVE?
Regards, Salvatore
Comment 7 Sandipan Roy 2022-02-14 09:53:58 UTC
Hey Nils,
Can you add your flaw and POC files to this bug as public?
Thanks.
Comment 8 Nils Bars 2022-02-14 10:00:37 UTC
Created attachment 1860945 [details] Reproduction scripts and crashing input.
Heap out-of-bound writes and reads during conversion of wide string to local string
Description
During extraction of the attached zip archive via ``` unzip $PWD/testcase ``` out-of-bounds reads and writes happen on an heap-allocated buffer. The bug is located in the code that is responsible for converting wide strings to local strings.
This bug allows an attacker to perform a denial of service and possibly opens up other attack vectors.
To reproduce the crash, we provide scripts alongside the crashing input:
- ./reproduce-fedora.sh: Reproduce crash via a Fedora 35 docker container
- ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container
If you need further details, we are happy to assist where possible.
yum info unzip
Last metadata expiration check: 0:04:07 ago on Mon Jan 31 12:39:57 2022. Installed Packages Name : unzip Version : 6.0 Release : 53.fc35 Architecture : x86_64 Size : 385 k Source : unzip-6.0-53.fc35.src.rpm Repository : @System From repo : fedora Summary : A utility for unpacking zip files URL : http://www.info-zip.org/UnZip.html License : BSD Description : The unzip utility is used to list, test, or extract files from a zip : archive. Zip archives are commonly found on MS-DOS systems. The zip : utility, included in the zip package, creates zip archives. Zip and : unzip are both compatible with archives created by PKWARE®’s PKZIP : for MS-DOS, but the programs’ options and default behaviors do differ : in some respects. : : Install the unzip package if you need to list, test or extract files from : a zip archive.
valgrind fedora
==1== Memcheck, a memory error detector ==1== Copyright © 2002-2017, and GNU GPL’d, by Julian Seward et al. ==1== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==1== Command: unzip /testcase ==1== Archive: /testcase warning [/testcase]: 303 extra bytes at beginning or within zipfile (attempting to process anyway) error [/testcase]: reported length of central directory is -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating… ==1== Invalid write of size 1 ==1== at 0x484732C: strcat (vg_replace_strmem.c:330) ==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) ==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid write of size 1 ==1== at 0x484733E: strcat (vg_replace_strmem.c:330) ==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) ==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3d2 is 9 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid read of size 1 ==1== at 0x4847314: strcat (vg_replace_strmem.c:330) ==1== by 0x11CD25: UnknownInlinedFun (string_fortified.h:127) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2547) ==1== by 0x11CD25: UnknownInlinedFun (process.c:2600) ==1== by 0x11CD25: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid read of size 1 ==1== at 0x4847604: strlen (vg_replace_strmem.c:494) ==1== by 0x11CE8C: UnknownInlinedFun (process.c:2551) ==1== by 0x11CE8C: UnknownInlinedFun (process.c:2600) ==1== by 0x11CE8C: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3c9 is 0 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid read of size 8 ==1== at 0x484B214: memmove (vg_replace_strmem.c:1382) ==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) ==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3d0 is 7 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid read of size 8 ==1== at 0x484B21F: memmove (vg_replace_strmem.c:1382) ==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) ==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3d8 is 15 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== ==1== Invalid read of size 8 ==1== at 0x484B227: memmove (vg_replace_strmem.c:1382) ==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) ==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x4a8a3e0 is 23 bytes after a block of size 601 alloc’d ==1== at 0x484186F: malloc (vg_replace_malloc.c:381) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2508) ==1== by 0x11CC98: UnknownInlinedFun (process.c:2600) ==1== by 0x11CC98: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1==
valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion ‘bszB_lo == bszB_hi’ failed. valgrind: Heap block lo/hi size mismatch: lo = 672, hi = 3689347702328406576. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug.
host stacktrace: ==1== at 0x580428CA: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x580429F7: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x58042B9B: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x5804C8EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x5803AF1A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x58039637: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x5803DFBD: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x580388E8: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x5800F344: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x1002DF0984: ??? ==1== by 0x1002CB5F2F: ??? ==1== by 0x581FCDA3: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==1== by 0x1002CB5F17: ??? ==1== by 0x1002CB5F2F: ???
sched status: running_tid=1
Thread 1: status = VgTs_Runnable (lwpid 1) ==1== at 0x484B22F: memmove (vg_replace_strmem.c:1382) ==1== by 0x11CEAE: UnknownInlinedFun (string_fortified.h:79) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2552) ==1== by 0x11CEAE: UnknownInlinedFun (process.c:2600) ==1== by 0x11CEAE: do_string.part.0 (fileio.c:2361) ==1== by 0x119E35: UnknownInlinedFun (fileio.c:2041) ==1== by 0x119E35: extract_or_test_files (extract.c:659) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) client stack range: [0x1FFEFFE000 0x1FFF000FFF] client SP: 0x1FFF000868 valgrind stack range: [0x1002BB6000 0x1002CB5FFF] top usage: 8656 of 1048576
apt-show unzip
Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <[email protected]> Original-Maintainer: Santiago Vila <[email protected]> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files
valgrind Ubuntu
==1== Memcheck, a memory error detector ==1== Copyright © 2002-2017, and GNU GPL’d, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: unzip /testcase ==1== Archive: /testcase warning [/testcase]: 303 extra bytes at beginning or within zipfile (attempting to process anyway) error [/testcase]: reported length of central directory is -303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating… ==1== Invalid write of size 1 ==1== at 0x483EC4C: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E65D: strcat (string_fortified.h:128) ==1== by 0x11E65D: wide_to_local_string (process.c:2555) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3c9 is 0 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid write of size 1 ==1== at 0x483EC5E: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E65D: strcat (string_fortified.h:128) ==1== by 0x11E65D: wide_to_local_string (process.c:2555) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3d2 is 9 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 1 ==1== at 0x483EC34: strcat (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E65D: strcat (string_fortified.h:128) ==1== by 0x11E65D: wide_to_local_string (process.c:2555) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3c9 is 0 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Conditional jump or move depends on uninitialised value(s) ==1== at 0x11E6B7: wide_to_local_string (process.c:2559) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 4 ==1== at 0x11E6A2: wide_to_local_string (process.c:2559) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3cc is 3 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 4 ==1== at 0x11E6B7: wide_to_local_string (process.c:2559) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3d0 is 7 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 8 ==1== at 0x4842A7C: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E6FA: strcpy (string_fortified.h:90) ==1== by 0x11E6FA: wide_to_local_string (process.c:2560) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3d0 is 7 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 8 ==1== at 0x4842A87: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E6FA: strcpy (string_fortified.h:90) ==1== by 0x11E6FA: wide_to_local_string (process.c:2560) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3d8 is 15 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== ==1== Invalid read of size 8 ==1== at 0x4842A8F: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E6FA: strcpy (string_fortified.h:90) ==1== by 0x11E6FA: wide_to_local_string (process.c:2560) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x4a6c3e0 is 23 bytes after a block of size 601 alloc’d ==1== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E609: wide_to_local_string (process.c:2516) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1==
valgrind: m_mallocfree.c:305 (get_bszB_as_is): Assertion ‘bszB_lo == bszB_hi’ failed. valgrind: Heap block lo/hi size mismatch: lo = 672, hi = 3689347702328406576. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug.
host stacktrace: ==1== at 0x58046FFA: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x58047127: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x580472CB: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x580514B4: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x5803DE9A: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x5803CD9F: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x58041F04: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x5803C1D8: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x58017AF4: ??? (in /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux) ==1== by 0x1002EC5614: ??? ==1== by 0x1002DB5F2F: ??? ==1== by 0x1002DB5F17: ??? ==1== by 0x1002DB5F2F: ??? ==1== by 0x1002DB5F3F: ???
sched status: running_tid=1
Thread 1: status = VgTs_Runnable (lwpid 1) ==1== at 0x4842A97: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x11E6FA: strcpy (string_fortified.h:90) ==1== by 0x11E6FA: wide_to_local_string (process.c:2560) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x114CA3: extract_or_test_files (extract.c:658) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) client stack range: [0x1FFEFFE000 0x1FFF000FFF] client SP: 0x1FFF0008A8 valgrind stack range: [0x1002CB6000 0x1002DB5FFF] top usage: 18248 of 1048576