Program received signal SIGILL, Illegal instruction. in mz_zip_get_archive_file_start_offset at /LuPng/miniz.h:9021

[ambrosecm]

Desctiption

When using the mz_zip_get_archive_file_start_offset function to handle a specific input. Program received signal SIGILL, Illegal instruction. in mz_zip_get_archive_file_start_offset at /LuPng/miniz.h:9021

LuPng/miniz.h

Lines 9017 to 9021 in 5ec546e

	mz_uint64 mz_zip_get_archive_file_start_offset(mz_zip_archive *pZip)
	{
	if ((!pZip) || (!pZip->m_pState))
	return 0;
	return pZip->m_pState->m_file_archive_start_ofs;

The primary cause is that the parameter in mz_zip_get_archive_file_start_offset is corrupted and don’t be checked which points to an inaccessible address

Test Environment

Ubuntu 22.04.1, 64bit
LuPng(commits on Aug 28, 2021 master 5ec546e)
program source file

How to trigger

Download the poc file , program and run the following cmd:

 $ ./mz_zip_get_archive_file_start_offset ./poc

Detail

GDB report

(gdb) r
Starting program: /home/ambrose/vsproject/HIMFuzz/harness/output/LuPng_deepseek24/crashes/miniz.h/generate/mz_zip_get_archive_file_start_offset/mz_zip_get_archive_file_start_offset output/default/crashes/id:000000,sig:04,src:000000,time:537,execs:162,op:quick,pos:104
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
0x000055555577d3ca in mz_zip_get_archive_file_start_offset (pZip=0x7caff6c20040) at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:9021
9021        return pZip->m_pState->m_file_archive_start_ofs;
(gdb) bt
#0  0x000055555577d3ca in mz_zip_get_archive_file_start_offset (pZip=0x7caff6c20040)
    at /home/ambrose/vsproject/TestLib/LuPng/miniz.h:9021
#1  0x000055555577f936 in main (argc=2, argv=0x7fffffffda48)
    at output/LuPng_deepseek24/harness/code/miniz.h/generate/mz_zip_get_archive_file_start_offset.c:43
(gdb) p pZip->m_pState->m_file_archive_start_ofs
Cannot access memory at address 0xac