Bug#867696: arj: out-of-bounds read

[Jakub Wilk]

Package: arj
Version: 3.10.22-15

ARJ crashes on the attached file:

  $ arj t oob.arj > /dev/null
  Segmentation fault

Backtrace:

#0  0x565741e8 in crc32_for_block (block=0x565bb001 <error: Cannot access memory 
at address 0x565bb001>, b_size=1448523275) at crc32.c:232
#1  0x5656350c in crc_for_block (block=0x565a28a0 
"\020v/\025\020vpb\020x\016w\020xPD\020ynY\020z0&\020{N;\020|\031B\020}.\035\020~y$\020\177\016\177\020\001\003\002\003\004\005\004\b\006\a\003\002\005\004\005\004\002\003\002\003\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\003\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\003\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t"...,
 length=1448523276) at fardata.c:749
#2  0x5657288d in extraction_stub (block=0x565a28a0 
"\020v/\025\020vpb\020x\016w\020xPD\020ynY\020z0&\020{N;\020|\031B\020}.\035\020~y$\020\177\016\177\020\001\003\002\003\004\005\004\b\006\a\003\002\005\004\005\004\002\003\002\003\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\003\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\004\005\003\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t"...,
 block_len=1448523276, action=0) at arj_file.c:204
#3  0x5655e58f in decode (action=0) at decode.c:486
#4  0x5656a211 in unpack_file (action=action@entry=0) at arj_arcv.c:2444
#5  0x5656f11a in unpack_validation (cmd=84) at arj_arcv.c:2604
#6  0x56564571 in process_archive (cmd=cmd@entry=84, 
no_in_arch=no_in_arch@entry=0) at arj_user.c:831
#7  0x56566586 in process_archive_proc (cmd=cmd@entry=84) at arj_user.c:2047
#8  0x56569759 in perform_cmd (cmd=84) at arj_user.c:2660
#9  0x5655c6ed in main (argc=<optimized out>, argv=<optimized out>) at 
arj.c:1275

Found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

--
Jakub Wilk

oob.arj
Description: Binary data