Skip to content

java.lang.ArrayIndexOutOfBoundsException in net.lingala.zip4j.util.RawIO.readLongLittleEndian::RawIO.java:59 zip4j 2.9.0 #368

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
java.lang.ArrayIndexOutOfBoundsException in net.lingala.zip4j.util.RawIO.readLongLittleEndian::RawIO.java:59 zip4j 2.9.0#368
Assignees
srikanth-lingala
Labels
bugSomething isn't workingresolved
@ZanderHuang

Description

@ZanderHuang
ZanderHuang
opened on Oct 24, 2021

This vulnerability is of java.lang.ArrayIndexOutOfBoundsException, and can be triggered in latest version zip4j (2.9.0).
It is caused by missing check the array index < array size and also failing to catch the runtime java exception (it should be wrapped as one kind of JSONException) and can be used for attackers to launch DoS (Denial of Service) attack for any java program that uses this library (since the user of zip4j doesn't know they need to catch this kind of exception) (CWE-129: Improper Validation of Array Index, CWE-248: Uncaught exception).
Likely, the root cause of this crash is in net.lingala.zip4j.util.RawIO.readLongLittleEndian::RawIO.java:59.

zip4j/src/main/java/net/lingala/zip4j/util/RawIO.java

Line 59 in ce1cff6

System.arraycopy(array, pos, longBuff, 0, array.length < 8 ? array.length - pos : 8);
Index 16 out of bounds for byte[13].

See more detail from the following crash stack.

Crash stack:

The crash thread's stack is as follows:

java.base/java.lang.System.arraycopy::Native Method
net.lingala.zip4j.util.RawIO.readLongLittleEndian::RawIO.java:59
net.lingala.zip4j.headers.HeaderReader.readZip64ExtendedInfo::HeaderReader.java:488
net.lingala.zip4j.headers.HeaderReader.readZip64ExtendedInfo::HeaderReader.java:445
net.lingala.zip4j.headers.HeaderReader.readLocalFileHeader::HeaderReader.java:575
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:91
net.lingala.zip4j.io.inputstream.ZipInputStream.getNextEntry::ZipInputStream.java:83
com.test.Entry.main::Entry.java:37

Steps to reproduce:

  1. Build the following java code with the corresponding zip4j library (version 2.9.0).
## Download zip4j_env_reproduce.tar.gz from https://drive.google.com/file/d/1MekCBIghKxIW4j-TLjZkm8ovvLb_grm5/view?usp=sharing
tar -xf zip4j_env_reproduce.tar.gz
cd zip4j_env_reproduce
bash build.sh
  1. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz, e.g. :
    (poc file can be downloaded from https://drive.google.com/file/d/1oUBqlpmCvLrUMTDpZOEX4c8KSylRRsQu/view?usp=sharing)
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-9be1e7b4f82bba801d4c688b42a8085c3f62ac24

Any further discussion for this vulnerability including fix is welcomed!

Metadata

Assignees

Labels

bugSomething isn't workingresolved

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions