Malformed input causes stack out of bounds read
A malformed input file can cause an out of bounds read in lha (current git code). Here's a sample file (unfortunately no attachments possible in this bugtracker): https://crashes.fuzzing-project.org/lha-oob-stack-read-get_extended_header.lha
To see this one must compile lha with address sanitizer enabled (-fsanitize=address in CFLAGS). Test with ./lha l input_file
This was found with the help of american fuzzy lop.
The output from Address Sanitizer:
==27182==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffe0811d5bf at pc 0x0000004fddfc bp 0x7ffe0811d590 sp 0x7ffe0811d588 READ of size 1 at 0x7ffe0811d5bf thread T0 #0 0x4fddfb in get_word /f/lha/lha/src/header.c:115:10 #1 0x4fddfb in get_extended_header /f/lha/lha/src/header.c:705 #2 0x4eb897 in get_header_level2 /f/lha/lha/src/header.c:1048:19 #3 0x4eb897 in get_header /f/lha/lha/src/header.c:1182 #4 0x51af30 in cmd_list /f/lha/lha/src/lhlist.c:337:12 #5 0x50ebcb in main /f/lha/lha/src/lharc.c:686:9 #6 0x7f2f775b27af in __libc_start_main (/lib64/libc.so.6+0x207af) #7 0x418aa8 in _start (/mnt/ram/lha/lha+0x418aa8) Address 0x7ffe0811d5bf is located in stack of thread T0 at offset 31 in frame #0 0x4fa01f in get_extended_header /f/lha/lha/src/header.c:538 This frame has 2 object(s): [32, 4128) 'data' <== Memory access at offset 31 underflows this variable [4256, 5280) 'dirname' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /f/lha/lha/src/header.c:115:10 in get_word Shadow bytes around the buggy address: 0x10004101ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101ba70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101ba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101ba90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101baa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004101bab0: 00 00 00 00 f1 f1 f1[f1]00 00 00 00 00 00 00 00 0x10004101bac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101bad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101bae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101baf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004101bb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27182==ABORTING
Fixed at 2f6c23d
Thanks for your report.
A malformed input file can cause an out of bounds read in lha (current git code). Here's a sample file (unfortunately no attachments possible in this bugtracker): https://crashes.fuzzing-project.org/lha-oob-stack-read-get_extended_header.lha
To see this one must compile lha with address sanitizer enabled (-fsanitize=address in CFLAGS). Test with ./lha l input_file
This was found with the help of american fuzzy lop.
The output from Address Sanitizer: