Headline
CVE-2022-47069: p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116
p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.
- Summary
- Files
- Reviews
- Support
- Tickets ▾
- Bugs
- Support Requests
- Patches
- Feature Requests
- Discussion
Menu ▾ ▴
Status: open
Owner: nobody
Labels: None
Priority: 5
Updated: 2022-12-09
Created: 2022-12-09
Private: No
Description
Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)
Verison
$ ./7za
7-Zip (a) [64] 16.02 : Copyright © 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)
Replay
./7za t poc.zip
POC
https://github.com/17ssDP/fuzzer_crashes/raw/main/zip/poc.zip
ASAN
$./7zatpoc.zip
7-Zip(a)[64]16.02:Copyright©1999-2016IgorPavlov:2016-05-21 p7zipVersion16.02(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64bits,64CPUsx64)
Scanningthedriveforarchives: 1file,4340bytes(5KiB)
Testingarchive:poc.zip
==65213==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x6210000000ffatpc0x55b8f9dd0731bp0x7ffd13599890sp0x7ffd13599880 READofsize4at0x6210000000ffthreadT0 #00x55b8f9dd0730inNArchive::NZip::CInArchive::FindCd(bool)…/…/…/…/CPP/7zip/Archive/Zip/ZipIn.cpp:1116 #10x55b8f9dd5f00inNArchive::NZip::CInArchive::ReadVols()…/…/…/…/CPP/7zip/Archive/Zip/ZipIn.cpp:1578 #20x55b8f9e01d9binNArchive::NZip::CInArchive::Open(IInStream,unsignedlonglongconst,IArchiveOpenCallback,CObjectVector<NArchive::NZip::CItemEx>&)…/…/…/…/CPP/7zip/Archive/Zip/ZipIn.cpp:2135 #30x55b8f9d4c294inNArchive::NZip::CHandler::Open(IInStream,unsignedlonglongconst,IArchiveOpenCallback)…/…/…/…/CPP/7zip/Archive/Zip/ZipHandler.cpp:474 #40x55b8fa46890binCArc::OpenStream2(COpenOptionsconst&)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:1878 #50x55b8fa47fb6ainCArc::OpenStream(COpenOptionsconst&)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:2901 #60x55b8fa481451inCArc::OpenStreamOrFile(COpenOptions&)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:2993 #70x55b8fa48437ainCArchiveLink::Open(COpenOptions&)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:3169 #80x55b8fa48ccf5inCArchiveLink::Open2(COpenOptions&,IOpenCallbackUI)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:3292 #90x55b8fa48f2a5inCArchiveLink::Open3(COpenOptions&,IOpenCallbackUI)…/…/…/…/CPP/7zip/UI/Common/OpenArchive.cpp:3356 #100x55b8fa409e7einExtract(CCodecs,CObjectVector<COpenType>const&,CRecordVector<int>const&,CObjectVector<UString>&,CObjectVector<UString>&,NWildcard::CCensorNodeconst&,CExtractOptionsconst&,IOpenCallbackUI,IExtractCallbackUI,IHashCalc,UString&,CDecompressStat&)…/…/…/…/CPP/7zip/UI/Common/Extract.cpp:362 #110x55b8fa5cc0b6inMain2(int,char**)…/…/…/…/CPP/7zip/UI/Console/Main.cpp:923 #120x55b8f9819ef8inmain…/…/…/…/CPP/7zip/UI/Console/MainAr.cpp:66 #130x7fa675178c86in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #140x55b8f981c069in_start(/home/p7zip/7za+0x41069)
0x6210000000ffislocated1bytestotheleftof4340-byteregion[0x621000000100,0x6210000011f4) allocated by thread T0 here: #0 0x7fa675e6c608 in operator new(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608) #10x55b8f9dce590inCObjArray<unsignedchar>::CObjArray(unsignedlong)…/…/…/…/CPP/7zip/Archive/Zip/…/…/…/Common/MyBuffer.h:141 #20x55b8f9dce590inNArchive::NZip::CInArchive::FindCd(bool)…/…/…/…/CPP/7zip/Archive/Zip/ZipIn.cpp:1066
SUMMARY:AddressSanitizer:heap-buffer-overflow…/…/…/…/CPP/7zip/Archive/Zip/ZipIn.cpp:1116inNArchive::NZip::CInArchive::FindCd(bool) Shadowbytesaroundthebuggyaddress: 0x0c427fff7fc0:00000000000000000000000000000000 0x0c427fff7fd0:00000000000000000000000000000000 0x0c427fff7fe0:00000000000000000000000000000000 0x0c427fff7ff0:00000000000000000000000000000000 0x0c427fff8000:fafafafafafafafafafafafafafafafa =>0x0c427fff8010:fafafafafafafafafafafafafafafa[fa] 0x0c427fff8020:00000000000000000000000000000000 0x0c427fff8030:00000000000000000000000000000000 0x0c427fff8040:00000000000000000000000000000000 0x0c427fff8050:00000000000000000000000000000000 0x0c427fff8060:00000000000000000000000000000000 Shadowbytelegend(oneshadowbyterepresents8applicationbytes): Addressable:00 Partiallyaddressable:01020304050607 Heapleftredzone:fa Freedheapregion:fd Stackleftredzone:f1 Stackmidredzone:f2 Stackrightredzone:f3 Stackafterreturn:f5 Stackuseafterscope:f8 Globalredzone:f9 Globalinitorder:f6 Poisonedbyuser:f7 Containeroverflow:fc Arraycookie:ac Intraobjectredzone:bb ASaninternal:fe Leftallocaredzone:ca Rightallocaredzone:cb ==65213==ABORTING
Environment
1 Attachments
Discussion
Log in to post a comment.