Package: unalz Version: 0.65-4+b1 Usertags: afl unalz crashes when trying to extract stuff from the attached file:
$ unalz crash.alz unalz v0.65 (2009/04/01) Copyright(C) 2004-2009 by kipp...@gmail.com (http://www.kipple.pe.kr) file open error : crash.alz err code(23) (iconv-invalid multisequence of characters) Segmentation fault Valgrind says it's a buffer overflow: ==21980== Invalid write of size 1 ==21980== at 0x4C2DFE3: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21980== by 0x5AF6512: _IO_file_xsgetn (fileops.c:1379) ==21980== by 0x5AEC38E: fread (iofread.c:42) ==21980== by 0x406254: UNALZ::CUnAlz::FRead(void*, unsigned int, int*) (UnAlz.cpp:1644) ==21980== by 0x40418A: UNALZ::CUnAlz::ReadLocalFileheader() (UnAlz.cpp:440) ==21980== by 0x403C9C: UNALZ::CUnAlz::Open(char const*) (UnAlz.cpp:312) ==21980== by 0x4022A9: main (main.cpp:290) ==21980== Address 0x5e2b590 is 0 bytes after a block of size 0 alloc'd ==21980== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21980== by 0x404137: UNALZ::CUnAlz::ReadLocalFileheader() (UnAlz.cpp:434) ==21980== by 0x403C9C: UNALZ::CUnAlz::Open(char const*) (UnAlz.cpp:312) ==21980== by 0x4022A9: main (main.cpp:290) ==21980== ==21980== Invalid write of size 1 ==21980== at 0x4041B6: UNALZ::CUnAlz::ReadLocalFileheader() (UnAlz.cpp:443) ==21980== by 0x403C9C: UNALZ::CUnAlz::Open(char const*) (UnAlz.cpp:312) ==21980== by 0x4022A9: main (main.cpp:290) ==21980== Address 0x5e2b58f is 1 bytes before a block of size 0 alloc'd ==21980== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21980== by 0x404137: UNALZ::CUnAlz::ReadLocalFileheader() (UnAlz.cpp:434) ==21980== by 0x403C9C: UNALZ::CUnAlz::Open(char const*) (UnAlz.cpp:312) ==21980== by 0x4022A9: main (main.cpp:290) This bug was found using American fuzzy lop: https://packages.debian.org/experimental/aflDisclaimer: I don't have spare CPU cycles, so I fuzzed only till the first crash (which took about 5 minutes). It's likely that extensive fuzzing would uncover more interesting crashers. I'd encourage unalz maintainers to perform fuzzing with AFL on their own. :-)
-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages unalz depends on: ii libbz2-1.0 1.0.6-7+b2 ii libc6 2.19-13 ii libgcc1 1:4.9.2-10 ii libstdc++6 4.9.2-10 ii zlib1g 1:1.2.8.dfsg-2+b1 -- Jakub Wilk
crash.alz
Description: Binary data