Bug 2165653

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

just hit this issue too :-(

zip-3.0-36.fc38.x86_64

Created attachment 1961637 [details]
Last argument to mbstowcs is max wchars to output

I have solved the buffer overflow check by providing correct
output length to the mbstowcs function.

I am hitting the same issue. Here's a full backtrace:
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading source file /usr/src/debug/glibc-2.37-4.fc38.x86_64/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7e358b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7de4abe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7dcd87f in __GI_abort () at abort.c:79
#4  0x00007ffff7dce60f in __libc_message (fmt=fmt@entry=0x7ffff7f482e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007ffff7ec9979 in __GI___fortify_fail (msg=msg@entry=0x7ffff7f4828c "buffer overflow detected") at fortify_fail.c:24
#6  0x00007ffff7ec81b4 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7ec9465 in __mbstowcs_chk (dst=dst@entry=0x495a40 L"ҕ", src=<optimized out>,
    src@entry=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", len=<optimized out>,
    dstlen=dstlen@entry=100) at mbstowcs_chk.c:27
#8  0x000000000041554b in mbstowcs (__len=<optimized out>,
    __src=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", __dst=0x495a40 L"ҕ")
    at /usr/include/bits/stdlib.h:123
#9  local_to_wide_string (local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3505
#10 0x00000000004228dc in local_to_utf8_string (
    local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3121
#11 newname.isra.0 (name=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", casesensitive=<optimized out>,
    isdir=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:1046
#12 0x0000000000415e4a in procname (n=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", caseflag=0)
    at unix/unix.c:216
#13 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#14 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#15 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#16 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#17 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#18 0x00000000004049cd in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/zip.c:4107

The patch attached by Julian fixes it for me (tried both creating and decompressing a zip archive that was problematic)

I am also getting a `*** buffer overflow detected ***: terminated`.

In my case it is fairly easy to reproduce this:

1. `touch gewässer`
2. `zip foo gewässer`
3. Buffer overflow message:

```
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)
```

(In reply to Julian Anastasov from comment #3)
> Created attachment 1961637 [details]
> Last argument to mbstowcs is max wchars to output
> 
> I have solved the buffer overflow check by providing correct
> output length to the mbstowcs function.

Thank you for your patch! It solved the issue for me on Fedora 38.
Would be nice if the patch were included in an update.

what package has zip source?

(In reply to Brian Mastrobuono from comment #7)
> what package has zip source?

You can find the src rpm here:
https://koji.fedoraproject.org/koji/buildinfo?buildID=2135106

(In reply to Julian Anastasov from comment #3)
> Created attachment 1961637 [details]
> Last argument to mbstowcs is max wchars to output
> 
> I have solved the buffer overflow check by providing correct
> output length to the mbstowcs function.

Actually it turned out that zip31c.zip contains this fix:
zip31c/fileio.c contains:

-------------------------------------------------------
   3677   /* convert it */
   3678   if ((wc_string = (wchar_t *)malloc((wsize + 1) * sizeof(wchar_t))) == NULL) {
   3679     ZIPERR(ZE_MEM, "local_to_wide_string");
   3680   }
   3681   /* Fix by kellner, from forum, 12 Feb 2009 */ 
   3682   wsize = mbstowcs(wc_string, local_string, wsize + 1);
   3683   wc_string[wsize] = (wchar_t) 0;
-------------------------------------------------------


Maintainer, would you apply the fix in comment #3?

Hello,

I can not zip files that contains swedish letters 'åäö'. This bug affects me. I can zip these letters on other versions of 'zip', such as on my raspberry pi (Debian build).

Please consider verifying and applying fix in comment #3.

BR

Updates for F38/F39:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-7da8b86dfe
https://bodhi.fedoraproject.org/updates/FEDORA-2023-e9a8e770bb

FEDORA-2023-ab660708bb has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ab660708bb

FEDORA-2023-ab660708bb has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days