Unziping a specially crafted zip file results in a computation of an invalid pointer and an invalid read. Find a attached a test case to reproduce it. A complete backtrace in busybox 1.21 (debug) is available here: $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452 ... (gdb) run Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip x.-6170921383890712452 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Archive: x.-6170921383890712452 inflating: ]3j½r«IK-%Ix Program received signal SIGSEGV, Segmentation fault. huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257, d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "", t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at archival/libarchive/decompress_gunzip.c:441 441 r.e = (unsigned char) e[*p - s]; /* non-simple--look up in lists */ (gdb) bt #0 huft_build (b=b@entry=0x7fffffffd320, n=n@entry=264, s=s@entry=257, d=d@entry=0x5fa900 <cplens>, e=e@entry=0x5fa8c0 <cplext> "", t=0x60620000eb08, t@entry=0x602c0000fe60, m=0x7fffffffd260) at archival/libarchive/decompress_gunzip.c:441 #1 0x0000000000520b52 in inflate_block (state=state@entry=0x602c0000fe00, e=e@entry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905 #2 0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at archival/libarchive/decompress_gunzip.c:947 #3 inflate_unzip_internal (state=state@entry=0x602c0000fe00, in=in@entry=3, out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1004 #4 0x0000000000522a6a in inflate_unzip (aux=aux@entry=0x7fffffffdc30, in=in@entry=3, out=out@entry=4) at archival/libarchive/decompress_gunzip.c:1048 #5 0x000000000051b255 in unzip_extract (dst_fd=4, zip_header=0x7fffffffdd50) at archival/unzip.c:255 #6 unzip_main (argc=<optimized out>, argv=<optimized out>) at archival/unzip.c:654 #7 0x00000000004088bd in run_applet_no_and_exit (applet_no=applet_no@entry=328, argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:759 #8 0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip", argv=argv@entry=0x7fffffffe170) at libbb/appletlib.c:766 #9 0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at libbb/appletlib.c:728 #10 run_applet_and_exit (name=<optimized out>, argv=argv@entry=0x7fffffffe168) at libbb/appletlib.c:768 #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168) at libbb/appletlib.c:823 (gdb) x/i $rip => 0x51fb17 <huft_build+2852>: mov (%rdi),%dl (gdb) info registers rax 0x0 0 rbx 0x57 87 rcx 0x814a18 8473112 rdx 0x140900 1313024 rsi 0x5fa900 6269184 rdi 0xa04dcc 10505676 rbp 0x10007fff7940 0x10007fff7940 rsp 0x7fffffffc930 0x7fffffffc930 r8 0x7fffffffcb64 140737488341860 r9 0x7fffffffcbe8 140737488341992 r10 0x60620000eb10 105974023121680 r11 0x7fffffffcadc 140737488341724 r12 0x7fffffffd260 140737488343648 r13 0x8 8 r14 0x10007fff7944 17594333493572 r15 0x0 0 rip 0x51fb17 0x51fb17 <huft_build+2852> eflags 0x10216 [ PF AF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 This issue was discovered with QuickFuzz Thanks!
Created attachment 6186 [details] test case
Fixed in git, thanks!