GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)

Previous Next

Package: gzip;

Reported by: Zephyr official <zephyrofficialdiscord <at> gmail.com>

Date: Fri, 30 May 2025 03:59:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: 78639 <at> debbugs.gnu.org
Subject: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 01:25:14 +0100

[Message part 1 (text/plain, inline)]

Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

[Message part 2 (text/html, inline)]

This bug report was last modified 43 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #78639 Uninitialised read in check_zipfile() (gzip 1.14)

GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)