GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)

Previous Next

Full log

Message #13 received at 78639 <at> debbugs.gnu.org (full text, mbox):

From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: 78639 <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 14:16:03 +0100

[Message part 1 (text/plain, inline)]

Hi Paul,

Thanks for the patch and for looking into this.

I've been digging a bit further into the interaction. Your patch `c5e7899`
tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within
`check_zipfile()`, but there appears to be an uninitialized read of
inbuf[3] during the initial PKZIP magic number check in
`gzip.c:get_method()` also.

This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap)
and `insize` is precisely 3 due to a short input like PK\x03. The
memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method()  will access inbuf[3]
before check_zipfile() is even invoked for that path.

This can be demonstrated with:

printf "\x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_ALLOC and your patch c5e7899
valgrind --track-origins=yes ./gzip -tv trigger.dat

Best regards,
Mohamed Maatallah

On Fri, May 30, 2025 at 7:10 AM Paul Eggert <eggert <at> cs.ucla.edu> wrote:

> Thanks for the bug report and proposed fix. I installed the attached,
> which should fix the gzip bug in a different way.
>
> I think the bug is innocuous in practice, but it's good to fix it anyway
> as these things tend to mushroom.

[Message part 2 (text/html, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.