Menu
▾
▴
1 Attachments
#182 segfault / null pointer access on malformed input file
The attached file will cause a segfault when opened with p7zip / 7za (no matter if x, t or l), it looks like a null pointer access.
This was found with the tool american fuzzy lop, tested on version 15.14.1.
Here's a stack trace from asan on a debug build, which should help analyze the issue:
==5538==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004899ef sp 0x7ffee0a09c30 bp 0x7ffee0a09c40 T0)
#0 0x4899ee in CRecordVector<void*>::Size() const ../../../../CPP/Common/MyVector.h:50
#1 0x4b21d1 in CObjectVector<CBuffer<unsigned char> >::Size() const ../../../../CPP/Common/MyVector.h:417
#2 0x4a8a05 in NArchive::N7z::CStreamSwitch::Set(NArchive::N7z::CInArchive*, CObjectVector<CBuffer<unsigned char> > const*) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:97
#3 0x4ab9ab in NArchive::N7z::CInArchive::ReadUnpackInfo(CObjectVector<CBuffer<unsigned char> > const*, NArchive::N7z::CFolders&) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:629
#4 0x4ad946 in NArchive::N7z::CInArchive::ReadStreamsInfo(CObjectVector<CBuffer<unsigned char> > const*, unsigned long long&, NArchive::N7z::CFolders&, CRecordVector<unsigned long long>&, NArchive::N7z::CUInt32DefVector&) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:952
#5 0x4ae115 in NArchive::N7z::CInArchive::ReadAndDecodePackedStreams(unsigned long long, unsigned long long&, CObjectVector<CBuffer<unsigned char> >&, ICryptoGetTextPassword*, bool&, bool&, UString&) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:1055
#6 0x4b1275 in NArchive::N7z::CInArchive::ReadDatabase2(NArchive::N7z::CDbEx&, ICryptoGetTextPassword*, bool&, bool&, UString&) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:1579
#7 0x4b1684 in NArchive::N7z::CInArchive::ReadDatabase(NArchive::N7z::CDbEx&, ICryptoGetTextPassword*, bool&, bool&, UString&) ../../../../CPP/7zip/Archive/7z/7zIn.cpp:1613
#8 0x49e07f in NArchive::N7z::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) ../../../../CPP/7zip/Archive/7z/7zHandler.cpp:676
#9 0x607aa1 in CArc::OpenStream2(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1843
#10 0x60d3bb in CArc::OpenStream(COpenOptions const&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2867
#11 0x60dd12 in CArc::OpenStreamOrFile(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2959
#12 0x60e814 in CArchiveLink::Open(COpenOptions&) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3135
#13 0x60f933 in CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3258
#14 0x6103c2 in CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) ../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3322
#15 0x5f4cf4 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) ../../../../CPP/7zip/UI/Common/Extract.cpp:362
#16 0x643d98 in Main2(int, char**) ../../../../CPP/7zip/UI/Console/Main.cpp:930
#17 0x648ba0 in main ../../../../CPP/7zip/UI/Console/MainAr.cpp:70
#18 0x7fbad965a78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#19 0x4036e8 in _start (/mnt/ram/7z/7za-debug+0x4036e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../CPP/Common/MyVector.h:50 CRecordVector<void*>::Size() const
==5538==ABORTING
It was fixed in 7-zip code already.
Waiting for p7zip release.
Please try p7zip 16.02