Blame SOURCES/libarchive-3.3.2-CVE-2018-1000877.patch

006282
From 88311f46cdfc719d26bb99d3b47944eb92ceae02 Mon Sep 17 00:00:00 2001
006282
From: Ondrej Dubaj <odubaj@redhat.com>
006282
Date: Tue, 30 Apr 2019 11:50:33 +0200
006282
Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
006282
006282
new_size can be 0 with a malicious or corrupted RAR archive.
006282
006282
realloc(area, 0) is equivalent to free(area), so the region would
006282
be free()d here and the free()d again in the cleanup function.
006282
006282
Found with a setup running AFL, afl-rb, and qsym.
006282
---
006282
 libarchive/archive_read_support_format_rar.c | 5 +++++
006282
 1 file changed, 5 insertions(+)
006282
006282
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
006282
index c4a8278..3f88eef 100644
006282
--- a/libarchive/archive_read_support_format_rar.c
006282
+++ b/libarchive/archive_read_support_format_rar.c
006282
@@ -2317,6 +2317,11 @@ parse_codes(struct archive_read *a)
006282
       new_size = DICTIONARY_MAX_SIZE;
006282
     else
006282
       new_size = rar_fls((unsigned int)rar->unp_size) << 1;
006282
+    if (new_size == 0) {
006282
+    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
006282
+                      "Zero window size is invalid.");
006282
+    return (ARCHIVE_FATAL);
006282
+    }
006282
     new_window = realloc(rar->lzss.window, new_size);
006282
     if (new_window == NULL) {
006282
       archive_set_error(&a->archive, ENOMEM,
006282
-- 
006282
2.17.1
006282