2165653 – zip-3.0-36.fc38: zip -r: *** buffer overflow detected ***: terminated

Bug 2165653 - zip-3.0-36.fc38: zip -r: *** buffer overflow detected ***: terminated

Summary: zip-3.0-36.fc38: zip -r: *** buffer overflow detected ***: terminated

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	zip
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Martisko
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-30 17:14 UTC by Lucian Langa
Modified:	2023-06-26 16:04 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Last argument to mbstowcs is max wchars to output (549 bytes, patch) 2023-05-02 10:05 UTC, Julian Anastasov	no flags	Details \| Diff
View All

Description Lucian Langa 2023-01-30 17:14:26 UTC

Following from bug #2164068

Seems zip is crashing when creating an archive

zip a.zip -r Inbox/
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)

At first I was under the impression it crashes because of very long filenames.

But in fact it crashes when filenames contain unicode characters.
To reproduce:

touch testé
zip a.zip testé
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)

As noted on #2164068 using the fix there (fortify_source 2) fixes the issue.

Comment 1 Ben Cotton 2023-02-07 15:07:30 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 2 Karel Volný 2023-04-12 13:45:32 UTC

just hit this issue too :-(

zip-3.0-36.fc38.x86_64

Comment 3 Julian Anastasov 2023-05-02 10:05:24 UTC

Created attachment 1961637 [details]
Last argument to mbstowcs is max wchars to output

I have solved the buffer overflow check by providing correct
output length to the mbstowcs function.

Comment 4 Michele Baldessari 2023-06-10 15:09:40 UTC

I am hitting the same issue. Here's a full backtrace:
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading source file /usr/src/debug/glibc-2.37-4.fc38.x86_64/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7e358b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7de4abe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7dcd87f in __GI_abort () at abort.c:79
#4  0x00007ffff7dce60f in __libc_message (fmt=fmt@entry=0x7ffff7f482e6 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150
#5  0x00007ffff7ec9979 in __GI___fortify_fail (msg=msg@entry=0x7ffff7f4828c "buffer overflow detected") at fortify_fail.c:24
#6  0x00007ffff7ec81b4 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7ec9465 in __mbstowcs_chk (dst=dst@entry=0x495a40 L"ҕ", src=<optimized out>,
    src@entry=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", len=<optimized out>,
    dstlen=dstlen@entry=100) at mbstowcs_chk.c:27
#8  0x000000000041554b in mbstowcs (__len=<optimized out>,
    __src=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", __dst=0x495a40 L"ҕ")
    at /usr/include/bits/stdlib.h:123
#9  local_to_wide_string (local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3505
#10 0x00000000004228dc in local_to_utf8_string (
    local_string=0x57dd40 "mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png")
    at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:3121
#11 newname.isra.0 (name=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", casesensitive=<optimized out>,
    isdir=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/fileio.c:1046
#12 0x0000000000415e4a in procname (n=0x564960 "/mnt/usb2/Personal/christopher/expression/files/frescobaldi-edition-1–5.png", caseflag=0)
    at unix/unix.c:216
#13 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#14 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#15 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#16 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#17 0x00000000004160ea in procname (n=<optimized out>, caseflag=0) at unix/unix.c:191
#18 0x00000000004049cd in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/zip-3.0-36.fc38.x86_64/zip.c:4107

The patch attached by Julian fixes it for me (tried both creating and decompressing a zip archive that was problematic)

Comment 5 blinxen 2023-06-26 16:04:49 UTC

I am also getting a `*** buffer overflow detected ***: terminated`.

In my case it is fairly easy to reproduce this:

1. `touch gewässer`
2. `zip foo gewässer`
3. Buffer overflow message:

```
*** buffer overflow detected ***: terminated


zip error: Interrupted (aborting)
```

Note You need to log in before you can comment on or make changes to this bug.