Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's .NET single-file bundle handler in NanaZip.Codecs.Archive.DotNetSingleFile.cpp sizes its extraction buffer from the bundle entry Size field, which is only checked for sign and is not validated against the real file size. A crafted bundle can cause an attacker-chosen allocation inside Extract, where std::bad_alloc or std::length_error can escape across the COM STDMETHODCALLTYPE boundary and crash the process. This issue is fixed in version 6.5.1749.0.
Problem types
CWE-400: Uncontrolled Resource Consumption
Product status
References
github.com/...anaZip/security/advisories/GHSA-ppm9-5267-rq72
github.com/...anaZip/security/advisories/GHSA-ppm9-5267-rq72
github.com/...ommit/ad62e3b4970b9f01e924c99094d6fed7a42f849a
github.com/M2Team/NanaZip/releases/tag/6.5.1749.0