[BusyBox 0000585]: gzip enters infinite busy loop when decompressing a corrupted file

bugs at busybox.net bugs at busybox.net
Wed Dec 7 15:13:49 UTC 2005


The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=585 
====================================================================== 
Reported By:                schweikhardt
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   585
Category:                   Other
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             12-07-2005 07:13 PST
Last Modified:              12-07-2005 07:13 PST
====================================================================== 
Summary:                    gzip enters infinite busy loop when decompressing a
corrupted file
Description: 
gzip can enter a busy loop when fed a truncated file. To reproduce:

# gzip -?    # To print version info
gzip: invalid option -- ?
BusyBox v1.00-rc3 (2004.10.07-07:15+0000) multi-call binary

Usage: gzip [OPTION]... [FILE]...

Compress FILE(s) with maximum compression.
When FILE is '-' or unspecified, reads standard input.  Implies -c.

Options:
 -c Write output to standard output instead of FILE.gz
 -d decompress

# strace gzip -cd tst.tgz > /dev/null
execve("/bin/gzip", ["gzip", "-cd", "tst.tgz"], [/* 21 vars */]) = 0
fcntl64(0, F_GETFD)                     = 0
fcntl64(1, F_GETFD)                     = 0
fcntl64(2, F_GETFD)                     = 0
geteuid()                               = 0
getuid()                                = 0
getegid()                               = 0
getgid()                                = 0
brk(0)                                  = 0x101b7278
brk(0x101b8278)                         = 0x101b8278
brk(0x101b9000)                         = 0x101b9000
stat("/etc/busybox.conf", {st_mode=S_IFREG|0444, st_size=266, ...}) = 0
open("/etc/busybox.conf", O_RDONLY)     = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=266, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x30000000
read(3, "[SUID]\nsu\t= ssx 0.0 # run with e"..., 4096) = 266
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x30000000, 4096)                = 0
getuid()                                = 0
getgid()                                = 0
setgid(0)                               = 0
setuid(0)                               = 0
open("tst.tgz", O_RDONLY)               = 3
stat("tst.tgz", {st_mode=S_IFREG|0600, st_size=65657, ...}) = 0
ioctl(3, TCGETS or TCGETS, 0x7ffff6b0)  = -1 ENOTTY (Inappropriate ioctl
for device)
read(3, "\37", 1)                       = 1
read(3, "\213", 1)                      = 1
read(3, "\10\10G\6rC\2\3", 8)           = 8
read(3, "p", 1)                         = 1
read(3, "k", 1)                         = 1
read(3, "g", 1)                         = 1
read(3, ".", 1)                         = 1
read(3, "t", 1)                         = 1
read(3, "a", 1)                         = 1
read(3, "r", 1)                         = 1
read(3, "\0", 1)                        = 1
brk(0x101c0000)                         = 0x101c0000
brk(0x101c8000)                         = 0x101c8000
read(3, "\354\231wTT\327\332\207\31E\21\260\321\4\373X\242\6\25"...,
32760) = 32760
brk(0x101c9000)                         = 0x101c9000
brk(0x101ca000)                         = 0x101ca000
write(1, "var/db/pkg/05HAN000174AAR0005-ro"..., 32768) = 32768
read(3, "\210\25\325\320\356\237\3551\4\376~\371\275\'\363d\34\'"...,
32760) = 32760
write(1, "\276e\5=\23C F\367\364\317\1\363\347?\4\37\362C\234i\276"...,
32768) = 32768
read(3, "\36\356\236L=\240\301\371\216DG\200%sw\30\211j\216<\222"...,
32760) = 119
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
read(3, "", 32760)                      = 0
[etc ad nauseam; I interrupted this after gzip had accumulated 80 cpu
minutes]

It appears that at one point a "short read" indicating EOF is ignored.
====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
12-07-05 07:13  schweikhardt   New Issue                                    
12-07-05 07:13  schweikhardt   Status                   new => assigned     
12-07-05 07:13  schweikhardt   Assigned To               => BusyBox         
12-07-05 07:13  schweikhardt   File Added: tst.tgz                          
======================================================================




More information about the busybox-cvs mailing list