sile/libflate

Out of bounds read when decoding a malformed zlib file

Shnatsel opened this issue · 6 comments

libflate performs reads from uninitialized memory when decoding a zlib file when given certain malformed inputs. The accessed address is out of bounds for any buffer allocated by the code.

This may pose a security vulnerability; I am still investigating the actual impact of this bug. Examples of similar vulnerabilities in C code and discussion of the potential impact can be found here.

This issue has been discovered using afl.rs and Address Sanitizer. I shall relay further details on the issue to the maintainer privately by email.

This does not seem to pose a security issue after all; at least, I couldn't get uninitialized memory contents to influence the output. It can crash though, so this is still an opportunity for denial of service.

sile commented

Thank you for your information.
I will confirm the detail within a few weeks.

It has been three weeks since the report. Any updates?

sile commented

Sorry for the late reply.
I fixed the bug at the commit e263e83.

Thank you!

Now that this issue is fixed, I'm attaching the full details below.

Steps to reproduce the issue:

git clone https://github.com/Shnatsel/libflate-repr
cd libflate-repr
export ASAN_OPTIONS=detect_odr_violation=0
RUSTFLAGS="-Z sanitizer=address" cargo +nightly build
target/debug/zlib < /path/to/malformed/input

The cargo.toml in inflate_repr repository points to my own fork of libflate, so this issue should remain reproducible in this setup even after the fix.

The inputs triggering the bug can be obtained from https://github.com/sile/libflate/tree/master/data/issues_16

sile commented

Thanks a lot!