Program received signal SIGILL, Illegal instruction. in mz_zip_get_archive_file_start_offset at /LuPng/miniz.h:9021

[ambrosecm]

Desctiption

When using the mz_zip_get_archive_file_start_offset function to handle a specific input. Program received signal SIGILL, Illegal instruction. in mz_zip_get_archive_file_start_offset at /LuPng/miniz.h:9021

https://github.com/jansol/LuPng/blob/5ec546e0d16d0fb9316967949b2676227eb93736/miniz.h#L9017-L9021

The primary cause is that the parameter in mz_zip_get_archive_file_start_offset is corrupted and don’t be checked which points to an inaccessible address

Test Environment

Ubuntu 22.04.1, 64bit LuPng(commits on Aug 28, 2021 master https://github.com/jansol/LuPng/commit/5ec546e0d16d0fb9316967949b2676227eb93736) program source file

How to trigger

Download the poc file , program and run the following cmd:

 $ ./mz_zip_get_archive_file_start_offset ./poc

Detail

GDB report

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_get_archive_file_start_offset/mz_zip_get_archive_file_start_offset output/default/crashes/id:000000,sig:04,src:000000,time:537,execs:162,op:quick,pos:104
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x000055555577d3ca in mz_zip_get_archive_file_start_offset (pZip=0x7caff6c20040) at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:9021
9021        return pZip->m_pState->m_file_archive_start_ofs;
(gdb) bt
#0  0x000055555577d3ca in mz_zip_get_archive_file_start_offset (pZip=0x7caff6c20040)
    at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:9021
#1  0x000055555577f936 in main (argc=2, argv=0x7fffffffda48)
    at output/LuPng_deepseek24/harness/code/miniz.h/generate/mz_zip_get_archive_file_start_offset.c:43
(gdb) p pZip->m_pState->m_file_archive_start_ofs
Cannot access memory at address 0xac