Bug 2165653

Summary: zip-3.0-36.fc38: zip -r: *** buffer overflow detected ***: terminated
Product: [Fedora] Fedora Reporter: Lucian Langa <lucilanga>
Component: zipAssignee: Jakub Martisko <jamartis>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: alexvillacislasso, h-k-81, jamartis, ja, joshas, kdudka, kvolny, michele, pstodulk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Last argument to mbstowcs is max wchars to output none

Description Lucian Langa 2023-01-30 17:14:26 UTC 
Following from bug #2164068

Seems zip is crashing when creating an archive

zip a.zip -r Inbox/
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)

At first I was under the impression it crashes because of very long filenames.

But in fact it crashes when filenames contain unicode characters.
To reproduce:

touch testé
zip a.zip testé
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)

As noted on #2164068 using the fix there (fortify_source 2) fixes the issue.
Comment 1 Ben Cotton 2023-02-07 15:07:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 2 Karel Volný 2023-04-12 13:45:32 UTC 
just hit this issue too :-(

zip-3.0-36.fc38.x86_64
Comment 3 Julian Anastasov 2023-05-02 10:05:24 UTC 
Created attachment 1961637 [details]
Last argument to mbstowcs is max wchars to output

I have solved the buffer overflow check by providing correct
output length to the mbstowcs function.
Comment 4 Michele Baldessari 2023-06-10 15:09:40 UTC 
I am hitting the same issue. Here's a full backtrace:
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading source file /usr/src/debug/glibc-2.37-4.fc38.x86_64/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7e358b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7de4abe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7dcd87f in __GI_abort () at abort.c:79
#4  0x00007ffff7dce60f in __libc_message (fmt=fmt@entry=0x7ffff7f482e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007ffff7ec9979 in __GI___fortify_fail (msg=msg@entry=0x7ffff7f4828c "buffer overflow detected") at fortify_fail.c:24
#6  0x00007ffff7ec81b4 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7ec9465 in __mbstowcs_chk (dst=dst@entry=0x495a40 L"ҕ", src=<optimized out>,
    src@entry=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", len=<optimized out>,
    dstlen=dstlen@entry=100) at mbstowcs_chk.c:27
#8  0x000000000041554b in mbstowcs (__len=<optimized out>,
    __src=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", __dst=0x495a40 L"ҕ")
    at /usr/include/bits/stdlib.h:123
#9  local_to_wide_string (local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3505
#10 0x00000000004228dc in local_to_utf8_string (
    local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3121
#11 newname.isra.0 (name=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", casesensitive=<optimized out>,
    isdir=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:1046
#12 0x0000000000415e4a in procname (n=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", caseflag=0)
    at unix/unix.c:216
#13 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#14 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#15 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#16 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#17 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#18 0x00000000004049cd in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/zip.c:4107

The patch attached by Julian fixes it for me (tried both creating and decompressing a zip archive that was problematic)
Comment 5 blinxen 2023-06-26 16:04:49 UTC 
I am also getting a `*** buffer overflow detected ***: terminated`.

In my case it is fairly easy to reproduce this:

1. `touch gewässer`
2. `zip foo gewässer`
3. Buffer overflow message:

```
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)
```