Skip to content

Program received signal SIGILL, Illegal instruction. in mz_zip_reader_end_internal at /LuPng/miniz.h:5179 #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ambrosecm opened this issue Mar 24, 2025 · 0 comments
Open

Program received signal SIGILL, Illegal instruction. in mz_zip_reader_end_internal at /LuPng/miniz.h:5179 #18

ambrosecm opened this issue Mar 24, 2025 · 0 comments

Comments

@ambrosecm
Copy link

Desctiption

When using the mz_zip_reader_end_internal function to handle a specific input. Program received signal SIGILL, Illegal instruction. in mz_zip_reader_end_internal at /LuPng/miniz.h:5179

LuPng/miniz.h

Lines 5159 to 5179 in 5ec546e

static mz_bool mz_zip_reader_end_internal(mz_zip_archive *pZip, mz_bool set_last_error)
{
mz_bool status = MZ_TRUE;
if (!pZip)
return MZ_FALSE;
if ((!pZip->m_pState) || (!pZip->m_pAlloc) || (!pZip->m_pFree) || (pZip->m_zip_mode != MZ_ZIP_MODE_READING))
{
if (set_last_error)
pZip->m_last_error = MZ_ZIP_INVALID_PARAMETER;
return MZ_FALSE;
}
if (pZip->m_pState)
{
mz_zip_internal_state *pState = pZip->m_pState;
pZip->m_pState = NULL;
mz_zip_array_clear(pZip, &pState->m_central_dir);

The primary cause is that the parameter in mz_zip_reader_end_internal is corrupted and don’t be checked which points to an inaccessible address, leading to Illegal instruction.

Test Environment

Ubuntu 22.04.1, 64bit
LuPng(commits on Aug 28, 2021 master 5ec546e)
program source file

How to trigger

Download the poc file , program and run the following cmd:

 $ ./mz_zip_end ./poc

Detail

GDB report

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_end/mz_zip_end output/default/crashes/id:000000,sig:04,src:000001,time:119553,execs:42350,op:havoc,rep:28
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x00005555556ccc6a in mz_zip_reader_end_internal (pZip=0x7bfff5a09020, set_last_error=1) at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:5179
5179            mz_zip_array_clear(pZip, &pState->m_central_dir);
(gdb) bt
#0  0x00005555556ccc6a in mz_zip_reader_end_internal (pZip=0x7bfff5a09020, set_last_error=1)
    at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:5179
#1  0x00005555556cc2a2 in mz_zip_reader_end (pZip=0x7bfff5a09020)
    at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:5208
#2  0x00005555557800e8 in mz_zip_end (pZip=0x7bfff5a09020) at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:9071
#3  0x0000555555780962 in main (argc=2, argv=0x7fffffffdac8)
    at output/LuPng_deepseek24/harness/code/miniz.h/generate/mz_zip_end.c:30
(gdb) p pState->m_central_dir
Cannot access memory at address 0x86a6b9b9a6868686
(gdb) p &pState->m_central_dir
$1 = (mz_zip_array *) 0x86a6b9b9a6868686
(gdb) p pZip
$2 = (mz_zip_archive *) 0x7bfff5a09020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ambrosecm