heap-buffer-overflow in getcode (src/zopen.c:673)

[kost]

Summary

Identified Heap Buffer Overflow in getcode  function located in src/zopen.c:673.

Versions

Versions tested and affected:

• Current git master (d624720)

• Latest release (v7.5)

$ git rev-parse HEAD
d624720b3cb4aa84b0f9cede51f90f9cc42473d8

Build and test platform

Ubuntu 24.04.3

Test case

unzip crash-11.zip
src/ugrep -z x 11-0_full.Z

crash-11.zip

Latest git master

Confirmed by ASAN:

$ src/ugrep -z x 11-0_full.Z
=================================================================
==1423354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x789f047ff020 at pc 0x644e430ed148 bp 0x789f01ffe8f0 sp 0x789f01ffe8e0
READ of size 1 at 0x789f047ff020 thread T1
    #0 0x644e430ed147 in getcode /htp/ugrep/ugrep/src/zopen.c:673
    #1 0x644e430ee401 in z_read /htp/ugrep/ugrep/src/zopen.c:557
    #2 0x644e42feb503 in zstreambuf::next(unsigned char*, unsigned long) (/htp/ugrep/ugrep/src/ugrep+0xc9503) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #3 0x644e43054a77 in Zthread::decompress() (/htp/ugrep/ugrep/src/ugrep+0x132a77) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #4 0x644e42fd35b0 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (Zthread::*)(), Zthread*> > >::_M_run() (/htp/ugrep/ugrep/src/ugrep+0xb15b0) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #5 0x789f056ecdb3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xecdb3) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #6 0x789f05a5ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
    #7 0x789f0529caa3 in start_thread nptl/pthread_create.c:447
    #8 0x789f05329c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x789f047ff020 is located 0 bytes after 690208-byte region [0x789f04756800,0x789f047ff020)
allocated by thread T0 here:
    #0 0x789f05afd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x644e430eec3c in z_open /htp/ugrep/ugrep/src/zopen.c:750
    #2 0x644e4300f792 in zstreambuf::open(char const*, _IO_FILE*) (/htp/ugrep/ugrep/src/ugrep+0xed792) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #3 0x644e43025cd4 in Zthread::start(unsigned long, char const*, _IO_FILE*, char const*) (/htp/ugrep/ugrep/src/ugrep+0x103cd4) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #4 0x644e430495e8 in Grep::open_file(char const*, char const*) (/htp/ugrep/ugrep/src/ugrep+0x1275e8) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #5 0x644e42f9f545 in Grep::search(char const*, unsigned short) /htp/ugrep/ugrep/src/ugrep.cpp:10426
    #6 0x644e42f9ea47 in Grep::ugrep() /htp/ugrep/ugrep/src/ugrep.cpp:9149
    #7 0x644e42fc5d03 in ugrep() /htp/ugrep/ugrep/src/ugrep.cpp:8974
    #8 0x644e42fc7851 in main /htp/ugrep/ugrep/src/ugrep.cpp:4715
    #9 0x789f0522a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x789f0522a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x644e42f74284 in _start (/htp/ugrep/ugrep/src/ugrep+0x52284) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)

Thread T1 created by T0 here:
    #0 0x789f05af51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
    #1 0x789f056eceb0 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xeceb0) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #2 0x644e43025fce in Zthread::start(unsigned long, char const*, _IO_FILE*, char const*) (/htp/ugrep/ugrep/src/ugrep+0x103fce) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #3 0x644e430495e8 in Grep::open_file(char const*, char const*) (/htp/ugrep/ugrep/src/ugrep+0x1275e8) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)
    #4 0x644e42f9f545 in Grep::search(char const*, unsigned short) /htp/ugrep/ugrep/src/ugrep.cpp:10426
    #5 0x644e42f9ea47 in Grep::ugrep() /htp/ugrep/ugrep/src/ugrep.cpp:9149
    #6 0x644e42fc5d03 in ugrep() /htp/ugrep/ugrep/src/ugrep.cpp:8974
    #7 0x644e42fc7851 in main /htp/ugrep/ugrep/src/ugrep.cpp:4715
    #8 0x789f0522a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x789f0522a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #10 0x644e42f74284 in _start (/htp/ugrep/ugrep/src/ugrep+0x52284) (BuildId: c537cdb06b9b7a874b26397e23584fee04ccfaf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /htp/ugrep/ugrep/src/zopen.c:673 in getcode
Shadow bytes around the buggy address:
  0x789f047fed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x789f047fee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x789f047fee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x789f047fef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x789f047fef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x789f047ff000: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x789f047ff080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x789f047ff100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x789f047ff180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x789f047ff200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x789f047ff280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1423354==ABORTING

Release (v7.5)

Confirmed by ASAN:

./ugrep -z x 11-0_full.Z
=================================================================
==1763511==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x73f00a5ff020 at pc 0x5a3886b57054 bp 0x73f0081fe8f0 sp 0x73f0081fe8e0
READ of size 1 at 0x73f00a5ff020 thread T1
    #0 0x5a3886b57053 in getcode /htp/ugrep/ugrep-7.5.0/src/zopen.c:673
    #1 0x5a3886b5830d in z_read /htp/ugrep/ugrep-7.5.0/src/zopen.c:557
    #2 0x5a3886a5540f in zstreambuf::next(unsigned char*, unsigned long) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0xc940f) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #3 0x5a3886abe983 in Zthread::decompress() (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x132983) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #4 0x5a3886a3d4bc in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (Zthread::*)(), Zthread*> > >::_M_run() (/htp/ugrep/ugrep-7.5.0/src/ugrep+0xb14bc) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #5 0x73f00b6ecdb3  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xecdb3) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #6 0x73f00bc5ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
    #7 0x73f00b29caa3 in start_thread nptl/pthread_create.c:447
    #8 0x73f00b329c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x73f00a5ff020 is located 0 bytes after 690208-byte region [0x73f00a556800,0x73f00a5ff020)
allocated by thread T0 here:
    #0 0x73f00bcfd340 in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x5a3886b58b48 in z_open /htp/ugrep/ugrep-7.5.0/src/zopen.c:750
    #2 0x5a3886a7969e in zstreambuf::open(char const*, _IO_FILE*) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0xed69e) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #3 0x5a3886a8fbe0 in Zthread::start(unsigned long, char const*, _IO_FILE*, char const*) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x103be0) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #4 0x5a3886ab34f4 in Grep::open_file(char const*, char const*) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x1274f4) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #5 0x5a3886a09451 in Grep::search(char const*, unsigned short) /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:10423
    #6 0x5a3886a08953 in Grep::ugrep() /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:9146
    #7 0x5a3886a2fc0f in ugrep() /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:8971
    #8 0x5a3886a3175d in main /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:4716
    #9 0x73f00b22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x73f00b22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #11 0x5a38869de264 in _start (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x52264) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)

Thread T1 created by T0 here:
    #0 0x73f00bcf51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
    #1 0x73f00b6eceb0 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xeceb0) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #2 0x5a3886a8feda in Zthread::start(unsigned long, char const*, _IO_FILE*, char const*) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x103eda) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #3 0x5a3886ab34f4 in Grep::open_file(char const*, char const*) (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x1274f4) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)
    #4 0x5a3886a09451 in Grep::search(char const*, unsigned short) /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:10423
    #5 0x5a3886a08953 in Grep::ugrep() /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:9146
    #6 0x5a3886a2fc0f in ugrep() /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:8971
    #7 0x5a3886a3175d in main /htp/ugrep/ugrep-7.5.0/src/ugrep.cpp:4716
    #8 0x73f00b22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x73f00b22a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #10 0x5a38869de264 in _start (/htp/ugrep/ugrep-7.5.0/src/ugrep+0x52264) (BuildId: 90638e48f0b62de4332dd2a506598772e5606684)

SUMMARY: AddressSanitizer: heap-buffer-overflow /htp/ugrep/ugrep-7.5.0/src/zopen.c:673 in getcode
Shadow bytes around the buggy address:
  0x73f00a5fed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73f00a5fee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73f00a5fee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73f00a5fef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x73f00a5fef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x73f00a5ff000: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x73f00a5ff080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x73f00a5ff100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x73f00a5ff180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x73f00a5ff200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x73f00a5ff280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1763511==ABORTING