Package: unace
Version: 1.2b-11
Usertags: afl

unace crashes when trying to test integrity of the attached file:

$ unace t crash
UNACE v1.2    public version
Segmentation fault


gdb says it's an integer overflow, followed by buffer overflow:

(gdb) bt
#0  __memcpy_sse2_unaligned () at 
../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:116
#1  0x0000000000401558 in read_header (print_err=0) at unace.c:171
#2  0x00000000004017b7 in read_arc_head () at unace.c:222
#3  0x0000000000401943 in open_archive (print_err=1) at unace.c:254
#4  0x000000000040258f in main (argc=3, argv=0x7fffffffe6d8) at unace.c:604
(gdb) up
#1  0x0000000000401558 in read_header (print_err=0) at unace.c:171
171              memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
(gdb) print rd-(USHORT)(tp-readbuf)
$1 = -27


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages unace depends on:
ii  libc6  2.19-13

--
Jakub Wilk

Attachment: crash.ACE
Description: Binary data

Reply via email to