Actually, I spent some time to figure out what is wrong. Looks like
program name in -TT command does not matter - crash is always present on
my host (Ubuntu 24.04.1 LTS, zip 3.0-13ubuntu0.1).
Program crashes inside check_zipfile function:
```
if (here) {
...
} else {
/* No {} so append temp name to end */
strcpy(cmd, unzip_path);
strcat(cmd, " ");
# ifdef UNIX
strcat(cmd, "'"); /* accept space or $ in name */
strcat(cmd, zipname);
strcat(cmd, "'"); <- this function causes a program crash
# else
strcat(cmd, zipname);
# endif
}
```
at the moment of call to the "faulty" strcat gdb shows:
```
0x555555575f25 <check_zipfile.isra+453> lea rdi, [r12 + r15 + 2]
0x555555575f2a <check_zipfile.isra+458> mov ecx, 1
0x555555575f2f <check_zipfile.isra+463> mov rsi, r14
0x555555575f32 <check_zipfile.isra+466> add rdi, rbx
0x555555575f35 <check_zipfile.isra+469> mov edx, 2
► 0x555555575f3a <check_zipfile.isra+474> call __memcpy_chk@plt
dstpp: 0x5555555d896e ◂— 0
srcpp: 0x555555578565 ◂— 0x32252d6434250027 /* "'" */
len: 2
dstlen: 1
```
`__memcpy_chk` will fail if dstlen <= len and that's expected .
What is unexpected, though, is that the 3rd (rdx register) and 4th (rcx
register) parameters are set to 2 and 1, causing this code path to
always fail. Not sure why such code was generated.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093024
Title:
zip crashes when using options -T and -TT
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
