==7525== Memcheck, a memory error detector ==7525== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7525== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==7525== Command: unzip -p -P x buggy.fuzzed.sigsegv.zip ==7525== warning [buggy.fuzzed.sigsegv.zip]: 11 extra bytes at beginning or within zipfile (attempting to process anyway) error [buggy.fuzzed.sigsegv.zip]: reported length of central directory is -11 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... ==7525== Conditional jump or move depends on uninitialised value(s) ==7525== at 0x80595AF: getZip64Data (process.c:1927) ==7525== by 0x80534DB: do_string (fileio.c:2300) ==7525== by 0x804E250: extract_or_test_entrylist (extract.c:1214) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Conditional jump or move depends on uninitialised value(s) ==7525== at 0x80595B9: getZip64Data (process.c:1935) ==7525== by 0x80534DB: do_string (fileio.c:2300) ==7525== by 0x804E250: extract_or_test_entrylist (extract.c:1214) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Conditional jump or move depends on uninitialised value(s) ==7525== at 0x8059588: getZip64Data (process.c:1922) ==7525== by 0x80534DB: do_string (fileio.c:2300) ==7525== by 0x804E250: extract_or_test_entrylist (extract.c:1214) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Use of uninitialised value of size 4 ==7525== at 0x8053D44: makeword (fileio.c:2426) ==7525== by 0x8059596: getZip64Data (process.c:1924) ==7525== by 0x80534DB: do_string (fileio.c:2300) ==7525== by 0x804E250: extract_or_test_entrylist (extract.c:1214) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Use of uninitialised value of size 4 ==7525== at 0x8053D44: makeword (fileio.c:2426) ==7525== by 0x80595A3: getZip64Data (process.c:1925) ==7525== by 0x80534DB: do_string (fileio.c:2300) ==7525== by 0x804E250: extract_or_test_entrylist (extract.c:1214) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== cåM^^[BK¯µ: mismatching "local" filename (cåM^^ZBK¯µ), continuing with "central" filename version error: invalid compressed data to inflate cåM^^[BK¯µ file #2: bad zipfile offset (local header sig): 179 ^\^F{`0Z(5x.: mismatching "local" filename (cåM^^ZBK¯µ), continuing with "central" filename version ^\^F{`0Z(5x.: ucsize 7 <> csize 2 for STORED entry continuing with "compressed" size value ^\^F{`0Z(5x. bad CRC 0e988438 (should be 0000000a) ^»ˆ.Làhp: ucsize 264 <> csize 18446744073709551611 for STORED entry continuing with "compressed" size value ==7525== Use of uninitialised value of size 4 ==7525== at 0x804B78B: update_keys (crypt.c:167) ==7525== by 0x804B8F6: testkey (crypt.c:641) ==7525== by 0x804B94F: testp (crypt.c:548) ==7525== by 0x804BA63: decrypt (crypt.c:493) ==7525== by 0x804E7DD: extract_or_test_entrylist (extract.c:1275) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Invalid read of size 1 ==7525== at 0x804B8E8: testkey (crypt.c:641) ==7525== by 0x804B94F: testp (crypt.c:548) ==7525== by 0x804BA63: decrypt (crypt.c:493) ==7525== by 0x804E7DD: extract_or_test_entrylist (extract.c:1275) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== Address 0x4207b3c is 0 bytes after a block of size 8,196 alloc'd ==7525== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7525== by 0x8058A90: process_zipfiles (process.c:250) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== ==7525== Invalid write of size 1 ==7525== at 0x804B8EB: testkey (crypt.c:641) ==7525== by 0x804B94F: testp (crypt.c:548) ==7525== by 0x804BA63: decrypt (crypt.c:493) ==7525== by 0x804E7DD: extract_or_test_entrylist (extract.c:1275) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== Address 0x4207b3c is 0 bytes after a block of size 8,196 alloc'd ==7525== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7525== by 0x8058A90: process_zipfiles (process.c:250) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== error: zipfile probably corrupt (segmentation violation) ==7525== Invalid read of size 4 ==7525== at 0x400F28F: _dl_fini (dl-fini.c:193) ==7525== by 0x40891B0: __run_exit_handlers (exit.c:82) ==7525== by 0x408920C: exit (exit.c:104) ==7525== by 0x805316A: handler (fileio.c:1659) ==7525== by 0x40846A7: ??? (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== Address 0x9d541f42 is not stack'd, malloc'd or (recently) free'd ==7525== ==7525== ==7525== Process terminating with default action of signal 11 (SIGSEGV) ==7525== Access not within mapped region at address 0x9D541F42 ==7525== at 0x400F28F: _dl_fini (dl-fini.c:193) ==7525== by 0x40891B0: __run_exit_handlers (exit.c:82) ==7525== by 0x408920C: exit (exit.c:104) ==7525== by 0x805316A: handler (fileio.c:1659) ==7525== by 0x40846A7: ??? (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x8050C30: extract_or_test_files (extract.c:586) ==7525== by 0x8058482: do_seekable (process.c:987) ==7525== by 0x8058BD6: process_zipfiles (process.c:401) ==7525== by 0x804B3DB: unzip (unzip.c:1278) ==7525== by 0x80495E6: main (unzip.c:741) ==7525== If you believe this happened as a result of a stack ==7525== overflow in your program's main thread (unlikely but ==7525== possible), you can try to increase the size of the ==7525== main thread stack using the --main-stacksize= flag. ==7525== The main thread stack size used in this run was 8388608. ==7525== Invalid read of size 4 ==7525== at 0x413D83A: tdestroy_recurse (tsearch.c:638) ==7525== by 0x413D850: tdestroy_recurse (tsearch.c:639) ==7525== by 0x419EE06: free_mem (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x419F409: __libc_freeres (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x4024526: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so) ==7525== Address 0xf9e4edb6 is not stack'd, malloc'd or (recently) free'd ==7525== ==7525== ==7525== Process terminating with default action of signal 11 (SIGSEGV) ==7525== Access not within mapped region at address 0xF9E4EDB6 ==7525== at 0x413D83A: tdestroy_recurse (tsearch.c:638) ==7525== by 0x413D850: tdestroy_recurse (tsearch.c:639) ==7525== by 0x419EE06: free_mem (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x419F409: __libc_freeres (in /lib/i386-linux-gnu/libc-2.19.so) ==7525== by 0x4024526: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so) ==7525== If you believe this happened as a result of a stack ==7525== overflow in your program's main thread (unlikely but ==7525== possible), you can try to increase the size of the ==7525== main thread stack using the --main-stacksize= flag. ==7525== The main thread stack size used in this run was 8388608. ==7525== ==7525== HEAP SUMMARY: ==7525== in use at exit: 79,869 bytes in 20 blocks ==7525== total heap usage: 78 allocs, 58 frees, 345,002 bytes allocated ==7525== ==7525== LEAK SUMMARY: ==7525== definitely lost: 160 bytes in 3 blocks ==7525== indirectly lost: 0 bytes in 0 blocks ==7525== possibly lost: 40 bytes in 2 blocks ==7525== still reachable: 79,669 bytes in 15 blocks ==7525== suppressed: 0 bytes in 0 blocks ==7525== Rerun with --leak-check=full to see details of leaked memory ==7525== ==7525== For counts of detected and suppressed errors, rerun with: -v ==7525== Use --track-origins=yes to see where uninitialised values come from ==7525== ERROR SUMMARY: 8302451 errors from 10 contexts (suppressed: 0 from 0) Segmentation fault ------------------------------------------------------------------------------------------ ./unzip -p -P x buggy.fuzzed.sigsegv.zip warning [buggy.fuzzed.sigsegv.zip]: 11 extra bytes at beginning or within zipfile (attempting to process anyway) error [buggy.fuzzed.sigsegv.zip]: reported length of central directory is -11 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... c?M^^[BK??: mismatching "local" filename (c?M^^ZBK??), continuing with "central" filename version error: invalid compressed data to inflate c?M^^[BK?? file #2: bad zipfile offset (local header sig): 179 ^\^F{`0Z(5x.: mismatching "local" filename (c?M^^ZBK??), continuing with "central" filename version ^\^F{`0Z(5x.: ucsize 7 <> csize 2 for STORED entry continuing with "compressed" size value ^\^F{`0Z(5x. bad CRC 0e988438 (should be 0000000a) ^??.L?hp: ucsize 264 <> csize 18446744073709551611 for STORED entry continuing with "compressed" size value ================================================================= ==4394== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5202104 at pc 0x80500c0 bp 0xbfffedb8 sp 0xbfffedac READ of size 1 at 0xb5202104 thread T0 #0 0x80500bf (/home/vagrant/sand/unzip-6.0/unzip+0x80500bf) #1 0x8050911 (/home/vagrant/sand/unzip-6.0/unzip+0x8050911) #2 0x8058379 (/home/vagrant/sand/unzip-6.0/unzip+0x8058379) #3 0x805d111 (/home/vagrant/sand/unzip-6.0/unzip+0x805d111) #4 0x807bb97 (/home/vagrant/sand/unzip-6.0/unzip+0x807bb97) #5 0x804ee07 (/home/vagrant/sand/unzip-6.0/unzip+0x804ee07) #6 0x804996f (/home/vagrant/sand/unzip-6.0/unzip+0x804996f) #7 0xb685aa82 (/lib/i386-linux-gnu/libc-2.19.so+0x19a82) #8 0x8049b80 (/home/vagrant/sand/unzip-6.0/unzip+0x8049b80) 0xb5202104 is located 0 bytes to the right of 8196-byte region [0xb5200100,0xb5202104) allocated by thread T0 here: #0 0xb6a05854 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0x16854) #1 0x80798f9 (/home/vagrant/sand/unzip-6.0/unzip+0x80798f9) #2 0xbffff8b6 ([stack]+0x208b6) Shadow bytes around the buggy address: 0x36a403d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a403e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a403f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a40400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a40410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36a40420:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a40430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a40440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a40450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a40460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a40470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==4394== ABORTING