[Bug 259011] unzip omits a check for NULL and can seg-fault
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 259011] unzip omits a check for NULL and can cause pathdup() to seg-fault"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Oct 2021 19:52:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259011
Bug ID: 259011
Summary: unzip omits a check for NULL and can seg-fault
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 228524
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=228524&action=edit
A zip file that causes unzip to seg-fault.
extract() in /usr/src/usr.bin/unzip/unzip.c says
pathname = pathdup(archive_entry_pathname(e));
but archive_entry_pathname(e) can return NULL for some
names, causing pathdup() to seg-fault.
I've attached a demo zip file.
% unzip -n - < unzip1.zip
Archive: (null)
Segmentation fault (core dumped)
The backtrace:
#0 0x00000008004ec25f in strlen () from /lib/libc.so.7
#1 0x0000000000205175 in pathdup (path=0x0)
at /usr/src/usr.bin/unzip/unzip.c:209
#2 0x0000000000204c0c in extract (a=0x801018000, e=0x801012500)
at /usr/src/usr.bin/unzip/unzip.c:695
#3 0x0000000000204314 in unzip (fn=0x0) at /usr/src/usr.bin/unzip/unzip.c:903
#4 0x000000000020395a in main (argc=3, argv=0x7fffffffe868)
at /usr/src/usr.bin/unzip/unzip.c:1069
--
You are receiving this mail because:
You are the assignee for the bug.