This should fix it:
--- a/inflate.c
+++ b/inflate.c
@@ -799,6 +799,11 @@ inflate_dynamic(void)
NEEDBITS((unsigned)bl)
j = (td = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
+ if (td->e == 99) /* invalid code */
+ {
+ huft_free(tl);
+ return 2;
+ }
j = td->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
However I don’t have a memory sanitizer, so please verify. Thanks.
Mark
> On Nov 25, 2018, at 7:45 AM, Hanno Böck <ha...@hboeck.de> wrote:
>
> Hi,
>
> I did some testing of gzip with afl-fuzzing and memory sanitizer and it
> ends up finding a use of uninitialized memory on some malformed inputs.
>
> Sample input (base64):
> H4sIADAwMDAwMGQAAAA=
>
> With msan this causes:
>
> ==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
> #0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
> #1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
> #2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
> #3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
> #4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
> #5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
> #6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
> #7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
>
> You can reproduce by building gzip with clang+msan, e.g.
> ./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
> LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
>
> And then run the above sample with gzip -dc.
>
> (msan is incompatible with fortify source and some distros set it by
> default, so it's better to unset it.)
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
>
>
