← All libraries
Archive · C
How to fuzz libzip
ZIP64 extensions double the integer surface — oversized field values corrupt allocations.
libzip is used in PHP's zip extension and numerous desktop applications for reading and writing ZIP archives. Its ZIP64 support introduces 64-bit length fields that are narrowed to platform-native types during allocation, creating integer truncation bugs when archives declare enormous entry counts or offset values.
Common bug classes
- •Integer overflow in ZIP64 entry size to allocation narrowing
- •Heap buffer overflow in extra-field record length parsing
- •Out-of-bounds read on truncated central directory signature
- •Use-after-free in zip_source chain error cleanup
- •Path traversal via absolute or dotdot entry name
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
#include <zip.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
zip_error_t err;
zip_source_t *src = zip_source_buffer_create(data, size, 0, &err);
if (!src) return 0;
zip_t *za = zip_open_from_source(src, ZIP_RDONLY, &err);
if (za) {
zip_int64_t n = zip_get_num_entries(za, 0);
for (zip_int64_t i = 0; i < n && i < 64; i++) {
zip_file_t *zf = zip_fopen_index(za, (zip_uint64_t)i, 0);
if (zf) {
char buf[4096]; zip_fread(zf, buf, sizeof(buf));
zip_fclose(zf);
}
}
zip_close(za);
} else {
zip_source_free(src);
}
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2022-29970
Push the harness above + a Dockerfile. First month 50% off.