Package: arj Version: 3.10.22-13 Usertags: afl arj crashes on the attached file:
$ arj t crash.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [28 Mar 2015] Processing archive: crash.arj Archive created: 2014-12-27 11:40:05, modified: 2014-12-27 11:40:05 Testing limerick Segmentation fault GDB says it's an out-of-bounds read: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0804ab9c in decode (action=0) at decode.c:465 465 dec_text[r]=dec_text[i]; (gdb) print i $1 = -32768 (gdb) print dec_text[i] Cannot access memory at address 0x8733848 (gdb) bt #0 0x0804ab9c in decode (action=0) at decode.c:465 #1 0x0805c4f3 in unpack_file (action=0) at arj_arcv.c:2444 #2 0x0805c937 in unpack_validation (cmd=84) at arj_arcv.c:2604 #3 0x080535b0 in process_archive (cmd=84, no_in_arch=0) at arj_user.c:831 #4 0x08056db0 in process_archive_proc (cmd=84) at arj_user.c:2047 #5 0x080571fe in perform_cmd (cmd=84) at arj_user.c:2660 #6 0x0805090f in main (argc=3, argv=0xffadd6b4) at arj.c:1275 This bug was found using American fuzzy lop: http://lcamtuf.coredump.cx/afl/ -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages arj depends on: ii libc6 2.19-18 -- Jakub Wilk
crash.arj
Description: Binary data
