bug#33501: Malformed inputs triggering uninitialized memory use in inflate_dynamic()

[Adler, Mark]

This should fix it:

--- a/inflate.c
+++ b/inflate.c
@@ -799,6 +799,11 @@ inflate_dynamic(void)
     NEEDBITS((unsigned)bl)
     j = (td = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
+    if (td->e == 99)    /* invalid code */
+    {
+      huft_free(tl);
+      return 2;
+    }
     j = td->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */

However I don’t have a memory sanitizer, so please verify. Thanks.

Mark


> On Nov 25, 2018, at 7:45 AM, Hanno Böck <address@hidden> wrote:
> 
> Hi,
> 
> I did some testing of gzip with afl-fuzzing and memory sanitizer and it
> ends up finding a use of uninitialized memory on some malformed inputs.
> 
> Sample input (base64):
> H4sIADAwMDAwMGQAAAA=
> 
> With msan this causes:
> 
> ==21601==WARNING: MemorySanitizer: use-of-uninitialized-value
>    #0 0x4affab in inflate_dynamic /f/gzip/gzip-1.9/inflate.c:803:9
>    #1 0x4affab in inflate_block /f/gzip/gzip-1.9/inflate.c:925
>    #2 0x4affab in inflate /f/gzip/gzip-1.9/inflate.c:957
>    #3 0x4c805d in unzip /f/gzip/gzip-1.9/unzip.c:132:19
>    #4 0x4a1234 in treat_file /f/gzip/gzip-1.9/gzip.c:1002:13
>    #5 0x49d760 in main /f/gzip/gzip-1.9/gzip.c:670:13
>    #6 0x7f85c3d724ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
>    #7 0x41c4d9 in _start (/r/gz/gzip+0x41c4d9)
> 
> You can reproduce by building gzip with clang+msan, e.g.
> ./configure CC=clang LD=clang CFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE" 
> LDFLAGS="-fsanitize=undefined -U_FORTIFY_SOURCE"
> 
> And then run the above sample with gzip -dc.
> 
> (msan is incompatible with fortify source and some distros set it by
> default, so it's better to unset it.)
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: address@hidden
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> 
> 
>