|
|
995285 |
From 470ceb47fe072d10c4b5d02dba3a8b7b3ce731e5 Mon Sep 17 00:00:00 2001
|
|
|
995285 |
From: Tim Kientzle <kientzle@acm.org>
|
|
|
995285 |
Date: Sun, 19 Jun 2016 15:31:46 -0700
|
|
|
995285 |
Subject: [PATCH] Issue 521: Properly check reading from lzss decompression
|
|
|
995285 |
buffer
|
|
|
995285 |
MIME-Version: 1.0
|
|
|
995285 |
Content-Type: text/plain; charset=UTF-8
|
|
|
995285 |
Content-Transfer-Encoding: 8bit
|
|
|
995285 |
|
|
|
995285 |
Prior code could be tricked into trying to copy data
|
|
|
995285 |
from beyond the end of the internal decompression buffer.
|
|
|
995285 |
|
|
|
995285 |
Thanks to Hanno Böck for his ongoing fuzz-testing work with libarchive.
|
|
|
995285 |
---
|
|
|
995285 |
Makefile.am | 1 +
|
|
|
995285 |
libarchive/archive_read_support_format_rar.c | 12 ++++--
|
|
|
995285 |
libarchive/test/CMakeLists.txt | 1 +
|
|
|
995285 |
libarchive/test/test_read_format_rar_invalid1.c | 44 ++++++++++++++++++++++
|
|
|
995285 |
.../test/test_read_format_rar_invalid1.rar.uu | 5 +++
|
|
|
995285 |
5 files changed, 59 insertions(+), 4 deletions(-)
|
|
|
995285 |
create mode 100644 libarchive/test/test_read_format_rar_invalid1.c
|
|
|
995285 |
create mode 100644 libarchive/test/test_read_format_rar_invalid1.rar.uu
|
|
|
995285 |
|
|
|
995285 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
995285 |
index e088b75..40ac1d1 100644
|
|
|
995285 |
--- a/Makefile.am
|
|
|
995285 |
+++ b/Makefile.am
|
|
|
995285 |
@@ -414,6 +414,7 @@ libarchive_test_SOURCES= \
|
|
|
995285 |
libarchive/test/test_read_format_mtree.c \
|
|
|
995285 |
libarchive/test/test_read_format_pax_bz2.c \
|
|
|
995285 |
libarchive/test/test_read_format_rar.c \
|
|
|
995285 |
+ libarchive/test/test_read_format_rar_invalid1.c \
|
|
|
995285 |
libarchive/test/test_read_format_raw.c \
|
|
|
995285 |
libarchive/test/test_read_format_tar.c \
|
|
|
995285 |
libarchive/test/test_read_format_tar_empty_filename.c \
|
|
|
995285 |
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
index 94cd108..c06a32b 100644
|
|
|
995285 |
--- a/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
+++ b/libarchive/archive_read_support_format_rar.c
|
|
|
995285 |
@@ -2798,11 +2798,10 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
|
|
|
995285 |
}
|
|
|
995285 |
|
|
|
995285 |
windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
|
|
|
995285 |
- if(windowoffs + length <= lzss_size(&rar->lzss))
|
|
|
995285 |
+ if(windowoffs + length <= lzss_size(&rar->lzss)) {
|
|
|
995285 |
memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
|
|
|
995285 |
length);
|
|
|
995285 |
- else
|
|
|
995285 |
- {
|
|
|
995285 |
+ } else if (length <= lzss_size(&rar->lzss)) {
|
|
|
995285 |
firstpart = lzss_size(&rar->lzss) - windowoffs;
|
|
|
995285 |
if (firstpart < 0) {
|
|
|
995285 |
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
|
|
995285 |
@@ -2814,9 +2813,14 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
|
|
|
995285 |
&rar->lzss.window[windowoffs], firstpart);
|
|
|
995285 |
memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
|
|
|
995285 |
&rar->lzss.window[0], length - firstpart);
|
|
|
995285 |
- } else
|
|
|
995285 |
+ } else {
|
|
|
995285 |
memcpy(&rar->unp_buffer[rar->unp_offset],
|
|
|
995285 |
&rar->lzss.window[windowoffs], length);
|
|
|
995285 |
+ }
|
|
|
995285 |
+ } else {
|
|
|
995285 |
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
|
|
995285 |
+ "Bad RAR file data");
|
|
|
995285 |
+ return (ARCHIVE_FATAL);
|
|
|
995285 |
}
|
|
|
995285 |
rar->unp_offset += length;
|
|
|
995285 |
if (rar->unp_offset >= rar->unp_buffer_size)
|
|
|
995285 |
diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
|
|
|
995285 |
index 2dc1740..3751da9 100644
|
|
|
995285 |
--- a/libarchive/test/CMakeLists.txt
|
|
|
995285 |
+++ b/libarchive/test/CMakeLists.txt
|
|
|
995285 |
@@ -128,6 +128,7 @@ IF(ENABLE_TEST)
|
|
|
995285 |
test_read_format_mtree.c
|
|
|
995285 |
test_read_format_pax_bz2.c
|
|
|
995285 |
test_read_format_rar.c
|
|
|
995285 |
+ test_read_format_rar_invalid1.c
|
|
|
995285 |
test_read_format_raw.c
|
|
|
995285 |
test_read_format_tar.c
|
|
|
995285 |
test_read_format_tar_empty_filename.c
|
|
|
995285 |
diff --git a/libarchive/test/test_read_format_rar_invalid1.c b/libarchive/test/test_read_format_rar_invalid1.c
|
|
|
995285 |
new file mode 100644
|
|
|
995285 |
index 0000000..61dea16
|
|
|
995285 |
--- /dev/null
|
|
|
995285 |
+++ b/libarchive/test/test_read_format_rar_invalid1.c
|
|
|
995285 |
@@ -0,0 +1,44 @@
|
|
|
995285 |
+/*-
|
|
|
995285 |
+ * Copyright (c) 2003-2016 Tim Kientzle
|
|
|
995285 |
+ * All rights reserved.
|
|
|
995285 |
+ *
|
|
|
995285 |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
995285 |
+ * modification, are permitted provided that the following conditions
|
|
|
995285 |
+ * are met:
|
|
|
995285 |
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
995285 |
+ * notice, this list of conditions and the following disclaimer.
|
|
|
995285 |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
995285 |
+ * notice, this list of conditions and the following disclaimer in the
|
|
|
995285 |
+ * documentation and/or other materials provided with the distribution.
|
|
|
995285 |
+ *
|
|
|
995285 |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
|
|
|
995285 |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
995285 |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
995285 |
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
995285 |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
995285 |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
995285 |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
995285 |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
995285 |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
995285 |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
995285 |
+ */
|
|
|
995285 |
+#include "test.h"
|
|
|
995285 |
+__FBSDID("$FreeBSD$");
|
|
|
995285 |
+
|
|
|
995285 |
+DEFINE_TEST(test_read_format_rar_invalid1)
|
|
|
995285 |
+{
|
|
|
995285 |
+ const char *refname = "test_read_format_rar_invalid1.rar";
|
|
|
995285 |
+ struct archive *a;
|
|
|
995285 |
+ struct archive_entry *ae;
|
|
|
995285 |
+ char *buff[100];
|
|
|
995285 |
+
|
|
|
995285 |
+ extract_reference_file(refname);
|
|
|
995285 |
+ assert((a = archive_read_new()) != NULL);
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, refname, 10240));
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae);;
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data(a, buff, 99));
|
|
|
995285 |
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
|
|
|
995285 |
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
|
|
|
995285 |
+}
|
|
|
995285 |
diff --git a/libarchive/test/test_read_format_rar_invalid1.rar.uu b/libarchive/test/test_read_format_rar_invalid1.rar.uu
|
|
|
995285 |
new file mode 100644
|
|
|
995285 |
index 0000000..2380399
|
|
|
995285 |
--- /dev/null
|
|
|
995285 |
+++ b/libarchive/test/test_read_format_rar_invalid1.rar.uu
|
|
|
995285 |
@@ -0,0 +1,5 @@
|
|
|
995285 |
+begin 644 test_read_format_rar_invalid1.rar
|
|
|
995285 |
+M4F%R(1H'`,^0<P``#0````````"9SG0@D"8`#`````,````#+7,'\(^>B$4=
|
|
|
995285 |
+2,P0`I($``'1E
|
|
|
995285 |
+`
|
|
|
995285 |
+end
|
|
|
995285 |
--
|
|
|
995285 |
2.7.4
|
|
|
995285 |
|