Bug#882094: marked as forwarded (unar: heap-based buffer overflow in LHAready_made())

Sat, 18 Nov 2017 22:21:38 -0800 

Your message dated Sat, 18 Nov 2017 21:43:49 -0800
with message-id <[email protected]>
has caused the   report #882094,
regarding unar: heap-based buffer overflow in LHAready_made()
to be marked as having been forwarded to the upstream software
author(s) [email protected]

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
882094: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882094
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Hi,

Jakub Wilk reported to the Debian bug tracking system that unar
crashes when it's run on the attached file.  The full text of the
report can be found below.

I will attempt to reproduce this problem using The Unarchiver on
Monday.

----- Forwarded message from Jakub Wilk <[email protected]> -----

Date: Sat, 18 Nov 2017 23:05:21 +0100
From: Jakub Wilk <[email protected]>
To: [email protected]
Subject: Bug#882094: unar: heap-based buffer overflow in LHAready_made()
User-Agent: NeoMutt/20170609 (1.8.3)

Package: unar
Version: 1.10.1-2+b1

lsar crashes on the attached file:

  $ lsar overflow.lha
  overflow.lha: *** Error in `lsar': double free or corruption (out): 
0x57103310 ***
  ...
  Aborted

Valgrind says it's a buffer overflow:

  Invalid write of size 1
     at 0x18DC00: LHAready_made (XADLZHOldHandles.m:577)
     by 0x18DC00: LHAdecode_c_st0 (XADLZHOldHandles.m:674)
     by 0x18CABC: LhA_Decrunch (XADLZHOldHandles.m:1075)
     by 0x18CC8C: _i_XADLZH3Handle__unpackData (XADLZHOldHandles.m:1128)
     by 0x189F9C: _i_XADLibXADIOHandle__runUnpacker (XADLibXADIOHandle.m:114)
     by 0x18997D: _i_XADLibXADIOHandle__seekToFileOffset_ 
(XADLibXADIOHandle.m:51)
     by 0x1799F0: _i_XADCRCHandle__resetStream (XADCRCHandle.m:70)
     by 0x1550CF: _i_XADStreamHandle__readAtMost_toBuffer_ 
(CSStreamHandle.m:138)
     by 0x150A1A: _i_XADHandle__copyDataOfLengthAtMost_ (CSHandle.m:291)
     by 0x14FAF4: _i_XADHandle__readDataOfLengthAtMost_ (CSHandle.m:276)
     by 0x195774: 
_i_XADMacArchiveParser__parseMacBinaryWithDictionary_name_retainPosition_ 
(XADMacArchiveParser.m:344)
     by 0x1952EE: 
_i_XADMacArchiveParser__addEntryWithDictionary_retainPosition_ 
(XADMacArchiveParser.m:133)
     by 0x16431E: _i_XADArchiveParser__addEntryWithDictionary_ 
(XADArchiveParser.m:899)
   Address 0x80aec5c is 0 bytes after a block of size 25,228 alloc'd
     at 0x4830256: calloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x18C9E7: xadAllocVec (XADLibXADIOHandle.h:200)
     by 0x18C9E7: LhA_Decrunch (XADLZHOldHandles.m:1025)
     by 0x18CC8C: _i_XADLZH3Handle__unpackData (XADLZHOldHandles.m:1128)
     by 0x189F9C: _i_XADLibXADIOHandle__runUnpacker (XADLibXADIOHandle.m:114)
     by 0x18997D: _i_XADLibXADIOHandle__seekToFileOffset_ 
(XADLibXADIOHandle.m:51)
     by 0x1799F0: _i_XADCRCHandle__resetStream (XADCRCHandle.m:70)
     by 0x1550CF: _i_XADStreamHandle__readAtMost_toBuffer_ 
(CSStreamHandle.m:138)
     by 0x150A1A: _i_XADHandle__copyDataOfLengthAtMost_ (CSHandle.m:291)
     by 0x14FAF4: _i_XADHandle__readDataOfLengthAtMost_ (CSHandle.m:276)
     by 0x195774: 
_i_XADMacArchiveParser__parseMacBinaryWithDictionary_name_retainPosition_ 
(XADMacArchiveParser.m:344)
     by 0x1952EE: 
_i_XADMacArchiveParser__addEntryWithDictionary_retainPosition_ 
(XADMacArchiveParser.m:133)
     by 0x16431E: _i_XADArchiveParser__addEntryWithDictionary_ 
(XADArchiveParser.m:899)


-- System Information:
Architecture: i386

Versions of packages unar depends on:
ii  dpkg                  1.19.0.4
ii  gnustep-base-runtime  1.25.0-2
ii  libbz2-1.0            1.0.6-8.1
ii  libc6                 2.25-1
ii  libgcc1               1:7.2.0-16
ii  libgnustep-base1.25   1.25.0-2
ii  libicu57              57.1-8
ii  libobjc4              7.2.0-16
ii  libstdc++6            7.2.0-16
ii  libwavpack1           5.1.0-2
ii  zlib1g                1:1.2.8.dfsg-5

-- 
Jakub Wilk



----- End forwarded message -----

-- 
Matt

Attachment: overflow.lha
Description: application/lha


--- End Message ---

Reply via email to