|
 |
58251f |
From 05caadc7eedbef471ac9610809ba683f0c698700 Mon Sep 17 00:00:00 2001
|
|
|
58251f |
From: Tim Kientzle <kientzle@acm.org>
|
|
|
58251f |
Date: Sun, 19 Jun 2016 14:21:42 -0700
|
|
|
58251f |
Subject: [PATCH] Issue 719: Fix for TALOS-CAN-154
|
|
|
58251f |
|
|
|
58251f |
A RAR file with an invalid zero dictionary size was not being
|
|
|
58251f |
rejected, leading to a zero-sized allocation for the dictionary
|
|
|
58251f |
storage which was then overwritten during the dictionary initialization.
|
|
|
58251f |
|
|
|
58251f |
Thanks to the Open Source and Threat Intelligence project at Cisco for
|
|
|
58251f |
reporting this.
|
|
|
58251f |
---
|
|
|
58251f |
libarchive/archive_read_support_format_rar.c | 6 ++++++
|
|
|
58251f |
1 file changed, 6 insertions(+)
|
|
|
58251f |
|
|
|
58251f |
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
|
58251f |
index 6450aac..6c49f1a 100644
|
|
|
58251f |
--- a/libarchive/archive_read_support_format_rar.c
|
|
|
58251f |
+++ b/libarchive/archive_read_support_format_rar.c
|
|
|
58251f |
@@ -2127,6 +2127,12 @@ parse_codes(struct archive_read *a)
|
|
|
58251f |
rar->range_dec.Stream = &rar->bytein;
|
|
|
58251f |
__archive_ppmd7_functions.Ppmd7_Construct(&rar->ppmd7_context);
|
|
|
58251f |
|
|
|
58251f |
+ if (rar->dictionary_size == 0) {
|
|
|
58251f |
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
|
|
|
58251f |
+ "Invalid zero dictionary size");
|
|
|
58251f |
+ return (ARCHIVE_FATAL);
|
|
|
58251f |
+ }
|
|
|
58251f |
+
|
|
|
58251f |
if (!__archive_ppmd7_functions.Ppmd7_Alloc(&rar->ppmd7_context,
|
|
|
58251f |
rar->dictionary_size, &g_szalloc))
|
|
|
58251f |
{
|
|
|
58251f |
--
|
|
|
58251f |
2.7.4
|
|
|
58251f |
|