[Bug 259011] unzip omits a check for NULL and can seg-fault

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 08 Oct 2021 19:52:36 UTC

            Bug ID: 259011
           Summary: unzip omits a check for NULL and can seg-fault
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 228524
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228524&action=edit
A zip file that causes unzip to seg-fault.

extract() in /usr/src/usr.bin/unzip/unzip.c says 

       pathname = pathdup(archive_entry_pathname(e));

but archive_entry_pathname(e) can return NULL for some
names, causing pathdup() to seg-fault.

I've attached a demo zip file.

% unzip -n - < unzip1.zip
Archive:  (null)
Segmentation fault (core dumped)

The backtrace:

#0  0x00000008004ec25f in strlen () from /lib/libc.so.7
#1  0x0000000000205175 in pathdup (path=0x0)
    at /usr/src/usr.bin/unzip/unzip.c:209
#2  0x0000000000204c0c in extract (a=0x801018000, e=0x801012500)
    at /usr/src/usr.bin/unzip/unzip.c:695
#3  0x0000000000204314 in unzip (fn=0x0) at /usr/src/usr.bin/unzip/unzip.c:903
#4  0x000000000020395a in main (argc=3, argv=0x7fffffffe868)
    at /usr/src/usr.bin/unzip/unzip.c:1069

You are receiving this mail because:
You are the assignee for the bug.