Coordinated Disclosure Timeline
- 2025-04-24: Reported as a private issue
- 2025-04-29: Report acknowledged
- 2025-07-05: Fixed in v25.00
Summary
7-Zip supports extracting from Compound Documents. Null pointer dereference in the Compound handler may lead to denial of service.
Project
7-Zip
Tested Version
Details
Null pointer array write attempt in NArchive::NCom::CHandler::GetStream (GHSL-2025-059)
When item.Size is a certain large number (item.Size + clusterSize - 1) >> bsLog at [1] may overflow and numClusters64 becomes zero. Note, that if (numClusters64 >= ((UInt32)1 << 31)) check at [2] doesn’t prevent the unsigned integer overflow. Then the vector call ClearAndReserve at [3] doesn’t allocate any memory and the internal vector pointer stays null. This leads to a null pointer write attempt at [4].
Z7_COM7F_IMF(CHandler::GetStream(UInt32 index, ISequentialInStream **stream))
{
...
const UInt64 numClusters64 = (item.Size + clusterSize - 1) >> bsLog; // <----- 1
if (numClusters64 >= ((UInt32)1 << 31)) // <----- 2
return E_NOTIMPL;
streamSpec->Vector.ClearAndReserve((unsigned)numClusters64); // <----- 3
UInt32 sid = item.Sid;
UInt64 size = item.Size;
if (size != 0)
{
for (;; size -= clusterSize)
{
if (isLargeStream)
{
if (sid >= _db.FatSize)
return S_FALSE;
streamSpec->Vector.AddInReserved(sid + 1); // <----- 4
PoC triggers null pointer write dereference when 7zz is compiled with ASAN and extracted, for example as 7zz e -so compound-crash.poc:
==2387581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5615317c0993 bp 0x7ffcb31a1350 sp 0x7ffcb31a1300 T0)
==2387581==The signal is caused by a WRITE memory access.
==2387581==Hint: address points to the zero page.
#0 0x5615317c0993 in CRecordVector<unsigned int>::AddInReserved(unsigned int) ../../Archive/../../Common/MyVector.h:249:18
#1 0x5615317bfe66 in NArchive::NCom::CHandler::GetStream(unsigned int, ISequentialInStream**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:866:28
#2 0x5615317bea3d in NArchive::NCom::CHandler::Extract(unsigned int const*, unsigned int, int, IArchiveExtractCallback*) /src/7-zip/CPP/7zip/Bundles/Alone2/../../Archive/ComHandler.cpp:806:20
#3 0x561531e94bbb in DecompressArchive(CCodecs*, CArchiveLink const&, unsigned long, NWildcard::CCensorNode const&, CExtractOptions const&, bool, IExtractCallbackUI*, IFolderArchiveExtractCallback*, CArchiveExtractCallback*, UString&, unsigned long&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:235:23
#4 0x561531e8fdf1 in Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IFolderArchiveExtractCallback*, IHashCalc*, UString&, CDecompressStat&) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Common/Extract.cpp:542:5
#5 0x561531f49d3a in Main2(int, char**) /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/Main.cpp:1378:21
#6 0x561531f55ae4 in main /src/7-zip/CPP/7zip/Bundles/Alone2/../../UI/Console/MainAr.cpp:162:11
On Windows the same PoC was tested to crash the official 7-Zip build even without ASAN.
Impact
This issue may lead to denial of service.
CWEs
- CWE-476: NULL Pointer Dereference
CVE
- CVE-2025-53817 - GHSL-2025-059
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-059 in any communication regarding this issue.