Headline
CVE-2022-33067: UndefinedBehaviorSanitizer: invalid shifts · Issue #224 · ckolivas/lrzip
Lrzip v0.651 was discovered to contain multiple invalid arithmetic shifts via the functions get_magic in lrzip.c and Predictor::init in libzpaq/libzpaq.cpp. These vulnerabilities allow attackers to cause a Denial of Service via unspecified vectors.
****Describe the bug****
UndefinedBehaviorSanitizer: two runtime errors that expose invalid integer shifts in the library.
****To Reproduce****
Built lrzip using clang-10 with CXXFLAGS and/or CFLAGS =’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’
commit: 3495188
****UBSAN Output****
$ ./lrzip -d ./id:000000,sig:06,src:000057+000060,time:234495,op:splice,rep:8,trial:0 -o asd
Output filename is: asd
lrzip.c:208:36: runtime error: left shift of 2149580800 by 32 places cannot be represented in type 'i64' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lrzip.c:208:36 in
Invalid expected size -9214364837600034554
$ ./lrzip -d ../../fizzbench-second-bench/cve-unique/lrzip-lrzip_decompress_fuzzer/id:000001,sig:06,src:000124+000094,time:315933,op:splice,rep:2,trial:3 -o output
Output filename is: output
Decompressing...
libzpaq/libzpaq.cpp:804:58: runtime error: left shift of negative value -70
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libzpaq/libzpaq.cpp:804:58 in
testcases:
testcases.zip