Fix crash in StuffItX parser when block size overflows#189
Open
alek-prykhodko wants to merge 3 commits into
Open
Fix crash in StuffItX parser when block size overflows#189alek-prykhodko wants to merge 3 commits into
alek-prykhodko wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Fixes a crash in the StuffItX “Iron” decompressor caused by integer truncation/overflow when reading a malformed block size from the compressed stream.
Changes:
- Reads the block size as
uint64_tand validates it before narrowing tounsigned int. - Computes the allocation size using
size_tand uses that value formalloc().
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alek-prykhodko
force-pushed
the
fix/stuffitx-blocksize-overflow
branch
from
d487746 to
b76757c
Compare
alek-prykhodko
force-pushed
the
fix/stuffitx-blocksize-overflow
branch
from
b76757c to
954c459
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
XADStuffItXIronHandle.m:115
tableis derived fromblock + 2*blocksizeand cast touint32_t *. Ifblocksizeis not 2-byte aligned, this can produce a misaligneduint32_t *(undefined behavior and potential crash on alignment-sensitive architectures). Consider aligning the table offset toalignof(uint32_t)and adjusting the allocation size accordingly.
block=malloc(allocsize);
if(!block) [XADException raiseOutOfMemoryException];
sorted=block+blocksize;
table=(uint32_t *)(block+2*blocksize);
currsize=blocksize;
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When extracting StuffItX archives, the decompression block size is read from the compressed stream as a
uint64_tviaCSInputNextSitxP2, then immediately cast tounsigned int. In malformed archives this value can exceedINT_MAX, causing the cast to overflow and produce a wrongblocksize. A second overflow occurs when computing the allocation size:blocksize*6is evaluated in unsigned int arithmetic before being passed tomalloc(), and wraps around to a small value. malloc succeeds with that undersized buffer, butsortedandtableare computed using the original blocksize as an offset — placing them far outside the allocation and turning any access through them into a crash:Key Changes
UINT_MAXbefore casting tounsigned int.size_t allocsize = (size_t)blocksize * 6so the multiplication happens in 64-bit arithmetic and cannot overflow.