|
 |
995285 |
From aab73938f8914f0def6cdd5d5be3f142ae7c77f6 Mon Sep 17 00:00:00 2001
|
|
|
995285 |
From: Tim Kientzle <kientzle@acm.org>
|
|
|
995285 |
Date: Tue, 3 Mar 2015 20:17:37 -0800
|
|
|
995285 |
Subject: [PATCH] Issue 410: Segfault on invalid rar archive
|
|
|
995285 |
|
|
|
995285 |
Libarchive's API passes a void ** which is set by the format
|
|
|
995285 |
to the address of the entry data that was just read.
|
|
|
995285 |
|
|
|
995285 |
In one particular case, the RAR decompression logic uses a
|
|
|
995285 |
non-NULL value here to indicate that the internal 128k decompression
|
|
|
995285 |
buffer has been filled. But the RAR code took no steps to ensure
|
|
|
995285 |
that the value was set NULL on entry. As a result, a crafted RAR
|
|
|
995285 |
file can trick libarchive into returning to the caller a 128k block
|
|
|
995285 |
of data starting at whatever value was previously in the caller's
|
|
|
995285 |
variable.
|
|
|
995285 |
|
|
|
995285 |
The fix is simply to set *buff = NULL on entry to the RAR
|
|
|
995285 |
decompression logic.
|
|
|
995285 |
---
|
|
|
995285 |
libarchive/archive_read_support_format_rar.c | 2 +-
|
|
|
995285 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
995285 |
|
|
|
995285 |
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
index 3e7412f..ee8ce53 100644
|
|
|
995285 |
--- a/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
+++ b/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
@@ -1002,8 +1002,8 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
|
|
|
995285 |
rar->bytes_unconsumed = 0;
|
|
|
995285 |
}
|
|
|
995285 |
|
|
|
995285 |
+ *buff = NULL;
|
|
|
995285 |
if (rar->entry_eof || rar->offset_seek >= rar->unp_size) {
|
|
|
995285 |
- *buff = NULL;
|
|
|
995285 |
*size = 0;
|
|
|
995285 |
*offset = rar->offset;
|
|
|
995285 |
if (*offset < rar->unp_size)
|
|
|
995285 |
--
|
|
|
995285 |
2.7.4
|
|
|
995285 |
|