Skip to content

Out of bounds read and signed integer overflow in libarchive

I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues are now fixed in libarchive 3.2.1.
All issues were discovered with the help of american fuzzy lop.

Out of bounds heap read in RAR parser
Sample rar file
CVE-2015-8934

Signed integer overflow in ISO parser
Sample ISO file
CVE-2016-5844

Also a couple of other security issues in libarchive were found by Cisco.

With the release of version 3.2.1 I consider libarchive to be reasonably robust against fuzzing. I've tested all supported file formats and fuzzed each one with afl/asan for at least one day. Of course that doesn't mean that no security issues are left - but the easy to find ones should be wiped out.

Many invalid memory access issues in libarchive

libarchive version 3.2.0 (released on April 30th) fixed a large number of memory access bugs that I reported to them a while ago. All issues (except the test suite failure) were found with the help of american fuzzy lop and either address sanitizer or undefined behavior sanitizer.

Unclear invalid memory read in CPIO parser
Sample file
CVE-2015-8915

Null pointer access in RAR parser
Sample file
CVE-2015-8916

Null pointer access in CAB parser
Sample file
CVE-2015-8917

Overlapping memcpy in CAB parser
Sample file
CVE-2015-8918

Heap out of bounds read in LHA/LZH parser
Sample file
CVE-2015-8919

Stack out of bounds read in ar parser
Sample file
CVE-2015-8920

Global out of bounds read in mtree parser
Sample file
CVE-2015-8921

Null pointe access in 7z parser
Sample file
CVE-2015-8922

Unclear crashes in ZIP parser
Sample file
CVE-2015-8923

Heap out of bounds read in TAR parser
Sample file
CVE-2015-8924

Unclear invalid memory read in mtree parser
Sample file
CVE-2015-8925

Null pointer access in RAR parser
Sample file
CVE-2015-8926

Heap out of bounds heap read read when reading password for malformed ZIP
Sample file
CVE-2015-8927

Heap out of bounds read in mtree parser
Sample file
CVE-2015-89208

I also reported a couple of lower severity issues (leaks, hangs, undefined behavior issues):

Memory leak in TAR parser
CVE-2015-8929

Endless loop in ISO parser
Sample file
CVE-2015-8930

Undefined behavior / signed integer overflow in mtree parser
CVE-2015-8931

Use after free in test suite

Undefined behavior / invalid shiftleft in TAR parser
Sample file
CVE-2015-8932

Undefined behavior / signed integer overflow in TAR parser
Sample file
CVE-2015-8933

Unfortunately one out of bounds heap read bug in the RAR parser (CVE-2015-8934, sample file) remained unfixed. I hope a fix will find its way into the next version. I was interested in making libarchive more robust because once all issues are fixed it can serve as a safer alternative to many low quality command line tools for various archiving formats.

Various invalid memory accesses in ImageMagick (WPG, DDS, DCM)

Further fuzzing of ImageMagick uncovered some more issues.

An out of bounds memory read in the VerticalFilter() function can be triggered by a malformed DDS file.
Sample file
Git commit / fix
CVE-2016-5687
This was fixed in versions 7.0.1-4 and 6.9.4-3.

Several bugs in the WPG parser could lead to a heap overflow and random invalid memory writes. These bugs only seem to appear when a memory limit is set.
Sample for heap write overflow in SetPixelIndex
Sample for unclear invalid write in ScaleCharToQuantum
Sample for unclear invalid write in SetPixelIndex
Git commit / fix 1
Git commit / fix 2
CVE-2016-5688
These issues were fixed in versions 7.0.1-4 and 6.9.4-3.

Null pointer accesses and unclear segfaults can happen in the DCM parser.
Sample for null pointer access in ReadDCMImage
CVE-2016-5689
Sample for null pointer access in ReadDCMImage (different code)
CVE-2016-5690
Sample for unclear segfault in ReadDCMImage
CVE-2016-5691
Git commit / fix
These issues were fixed in versions 7.0.1-7 and 6.9.4-5.