[Bug 2093024] Re: zip crashes when using options -T and -TT

[Albert]

Actually, I spent some time to figure out what is wrong. Looks like
program name in -TT command does not matter - crash is always present on
my host (Ubuntu 24.04.1 LTS, zip 3.0-13ubuntu0.1).

Program crashes inside check_zipfile function:

```
    if (here) {
...
    } else {
      /* No {} so append temp name to end */
      strcpy(cmd, unzip_path);
      strcat(cmd, " ");
# ifdef UNIX
      strcat(cmd, "'");    /* accept space or $ in name */
      strcat(cmd, zipname);
      strcat(cmd, "'");   <- this function causes a program crash
# else
      strcat(cmd, zipname);
# endif
    }
```


at the moment of call to the "faulty" strcat gdb shows:
```
   0x555555575f25 <check_zipfile.isra+453>    lea    rdi, [r12 + r15 + 2]
   0x555555575f2a <check_zipfile.isra+458>    mov    ecx, 1
   0x555555575f2f <check_zipfile.isra+463>    mov    rsi, r14
   0x555555575f32 <check_zipfile.isra+466>    add    rdi, rbx
   0x555555575f35 <check_zipfile.isra+469>    mov    edx, 2
 ► 0x555555575f3a <check_zipfile.isra+474>    call   __memcpy_chk at plt
        dstpp: 0x5555555d896e ◂— 0
        srcpp: 0x555555578565 ◂— 0x32252d6434250027 /* "'" */
        len: 2
        dstlen: 1
```

`__memcpy_chk` will fail if dstlen <= len and that's expected .

What is unexpected, though, is that the 3rd (rdx register) and 4th (rcx
register) parameters are set to 2 and 1, causing this code path to
always fail. Not sure why such code was generated.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to zip in Ubuntu.
https://bugs.launchpad.net/bugs/2093024

Title:
  zip crashes when using options -T and -TT

Status in zip package in Ubuntu:
  New

Bug description:
  Running zip command with -T -TT arguments causes zip process to crash
  due to buffer overflow. See below:

  
  $ zip a.zip /etc/hosts -T -TT "ls"
    adding: etc/hosts (deflated 35%)
  *** buffer overflow detected ***: terminated

  
  zip error: Interrupted (aborting)
  free(): double free detected in tcache 2


  $ lsb_release -rd
  OS: Ubuntu 24.04.1 LTS

  $ apt-cache policy zip
  zip:
    Installed: 3.0-13ubuntu0.1
    Candidate: 3.0-13ubuntu0.1
    Version table:
   *** 3.0-13ubuntu0.1 500
          500 http://pl.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       3.0-13build1 500
          500 http://pl.archive.ubuntu.com/ubuntu noble/main amd64 Packages

  
  In addition to that I tested various docker images - here are the results:
  - ubuntu:24.10 at sha256:102bc1874fdb136fc2d218473f03cf84135cb7496fefdb9c026c0f553cfe1b6d - zip 3.0-14ubuntu0.1 - issue occurs
  - ubuntu:24.04 at sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab - zip 3.0-13ubuntu0.1 - issue occurs
  - ubuntu:20.04 at sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b - zip 3.0-11build1 - issue does not occur
  - debian:bookworm at sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a - zip 3.0-13 - issue does not occur

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions