Description:
snzip is a compression/decompression tool based on snappy.
A fuzzing revealed a memory allocation failure.
The complete ASan output:
# snzip -d $FILE Ȥ�==12351==WARNING: AddressSanitizer failed to allocate 0xffffffffc8617364 bytes ==12351==AddressSanitizer's allocator is terminating the process instead of returning 0 ==12351==If you don't like this behavior set allocator_may_return_null=1 ==12351==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x4ca7ed in AsanCheckFailed /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67 #1 0x4d1323 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159 #2 0x4cf076 in __sanitizer::ReportAllocatorCannotReturnNull() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:147 #3 0x424896 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator >::ReturnNullOrDie() /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator.h:1317 #4 0x424896 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:359 #5 0x4205bd in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:539 #6 0x4205bd in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_allocator.cc:732 #7 0x4c1231 in realloc /var/tmp/portage/sys-devel/llvm-3.8.1-r2/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79 #8 0x4fe72c in work_buffer_resize /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:584:13 #9 0x51667b in snappy_java_uncompress /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snappy-java-format.c:193:7 #10 0x4f68ea in main /tmp/portage/app-arch/snzip-1.0.3/work/snzip-1.0.3/snzip.c:401:11 #11 0x7fcbabbd261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x419988 in _init (/usr/bin/snzip+0x419988)
Affected version:
1.0.3
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
Timeline:
2016-10-13: bug discovered
2016-10-13: bug reported to upstream
2016-10-18: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
snzip: memory allocation failure in work_buffer_resize (snzip.c)