7-Zip Null Pointer Dereference Vulnerability in Compound Document Handler Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in 7-Zip versions prior to 25.0.0. The issue arises from a null pointer dereference in the Compound document handler, which can be exploited to cause a crash. When 7-Zip is extracting certain Compound documents, a large 'item.Size' value can trigger an unsigned integer overflow. This overflow allows the 'numClusters64' variable to become zero, bypassing a size check and leading to a null pointer write attempt. The vulnerability can be reproduced by using a crafted Compound document with the 7-Zip command-line interface.

Impact

Exploitation of this vulnerability causes a crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by compiling 7-Zip with AddressSanitizer enabled, and then using the '7zz' command-line tool to extract a crafted Compound document that triggers the null pointer dereference. The same issue can also be observed in the official 7-Zip build on Windows, without the need for AddressSanitizer.

Remediation

Users are advised to update to 7-Zip version 25.0.0 or later, where this vulnerability has been fixed.