[Bug 259011] unzip omits a check for NULL and can seg-fault
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Oct 2021 19:52:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259011 Bug ID: 259011 Summary: unzip omits a check for NULL and can seg-fault Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 228524 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228524&action=edit A zip file that causes unzip to seg-fault. extract() in /usr/src/usr.bin/unzip/unzip.c says pathname = pathdup(archive_entry_pathname(e)); but archive_entry_pathname(e) can return NULL for some names, causing pathdup() to seg-fault. I've attached a demo zip file. % unzip -n - < unzip1.zip Archive: (null) Segmentation fault (core dumped) The backtrace: #0 0x00000008004ec25f in strlen () from /lib/libc.so.7 #1 0x0000000000205175 in pathdup (path=0x0) at /usr/src/usr.bin/unzip/unzip.c:209 #2 0x0000000000204c0c in extract (a=0x801018000, e=0x801012500) at /usr/src/usr.bin/unzip/unzip.c:695 #3 0x0000000000204314 in unzip (fn=0x0) at /usr/src/usr.bin/unzip/unzip.c:903 #4 0x000000000020395a in main (argc=3, argv=0x7fffffffe868) at /usr/src/usr.bin/unzip/unzip.c:1069 -- You are receiving this mail because: You are the assignee for the bug.