Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java.lang.IndexOutOfBoundsException in net.lingala.zip4j.util.Zip4jUtil.readUntilBufferIsFull::Zip4jUtil.java:187 zip4j 2.9.0 #372

Closed
ZanderHuang opened this issue Oct 24, 2021 · 1 comment
Closed

java.lang.IndexOutOfBoundsException in net.lingala.zip4j.util.Zip4jUtil.readUntilBufferIsFull::Zip4jUtil.java:187 zip4j 2.9.0 #372

ZanderHuang opened this issue Oct 24, 2021 · 1 comment
Assignees
@srikanth-lingala
Labels
bug Something isn't working resolved

Comments

@ZanderHuang
Copy link

This vulnerability is of java.lang.IndexOutOfBoundsException, and can be triggered in latest version zip4j (2.9.0).
It is caused by getting an index of an array which is out of the range. and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) ( CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.util.Zip4jUtil.readUntilBufferIsFull::Zip4jUtil.java:187.
See more detail from the following crash stack.

zip4j/src/main/java/net/lingala/zip4j/util/Zip4jUtil.java

Line 187 in ce1cff6

loopReadLength = inputStream.read(bufferToReadInto, readLength, remainingLength);
Either variable "remainingLength" is index out of bounds for array "bufferToReadInto" or both variables "remainingLength" and "readLength" are index out of bounds.

Crash stack:

The crash thread's stack is as follows:

java.base/java.io.PushbackInputStream.read::PushbackInputStream.java:167
net.lingala.zip4j.util.Zip4jUtil.readUntilBufferIsFull::Zip4jUtil.java:187
net.lingala.zip4j.util.Zip4jUtil.readFully::Zip4jUtil.java:132
net.lingala.zip4j.headers.HeaderReader.readExtraDataRecords::HeaderReader.java:298
net.lingala.zip4j.headers.HeaderReader.readExtraDataRecords::HeaderReader.java:260
net.lingala.zip4j.headers.HeaderReader.readLocalFileHeader::HeaderReader.java:574
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:91
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37

Steps to reproduce:

  1. Build the following java code with the corresponding zip4j library (version 2.9.0).
## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh
  1. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
    (poc file can be downloaded from https://drive.google.com/file/d/1b6pg15vvtYWXoaJHdIjO8CUHVkkTlmPm/view?usp=sharing)
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-f4d920d202a2f3d4d305f8eda683e2aa164955a7

Any further discussion for this vulnerability including fix is welcomed!
@ZanderHuang ZanderHuang mentioned this issue Oct 24, 2021
Closed
srikanth-lingala added a commit that referenced this issue Mar 22, 2022
@srikanth-lingala
#372 Handle unexpected eof when reading compressed stream
445c161
@srikanth-lingala srikanth-lingala self-assigned this Mar 22, 2022
@srikanth-lingala srikanth-lingala added bug Something isn't working resolved labels Mar 22, 2022
srikanth-lingala added a commit that referenced this issue Mar 23, 2022
@srikanth-lingala
#372 Adjust test according to code change
985d8c5
@srikanth-lingala
Copy link
Owner

Fixed in v2.10.0 released today

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@srikanth-lingala srikanth-lingala

Labels
bug Something isn't working resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@srikanth-lingala @ZanderHuang