rpms / libarchive

Clone
Source Code
GIT

Blame SOURCES/libarchive-3.3.2-CVE-2018-1000877.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e462fca0cc9dc31b2b8feab4c7da497e28a6ec61
  2.   SOURCES
  3.   libarchive-3.3.2-CVE-2018-1000877.patch
Blob History Raw
87e122 
From 88311f46cdfc719d26bb99d3b47944eb92ceae02 Mon Sep 17 00:00:00 2001
87e122 
From: Ondrej Dubaj <odubaj@redhat.com>
87e122 
Date: Tue, 30 Apr 2019 11:50:33 +0200
87e122 
Subject: [PATCH] Avoid a double-free when a window size of 0 is specified
87e122
87e122 
new_size can be 0 with a malicious or corrupted RAR archive.
87e122
87e122 
realloc(area, 0) is equivalent to free(area), so the region would
87e122 
be free()d here and the free()d again in the cleanup function.
87e122
87e122 
Found with a setup running AFL, afl-rb, and qsym.
87e122 
---
87e122 
 libarchive/archive_read_support_format_rar.c | 5 +++++
87e122 
 1 file changed, 5 insertions(+)
87e122
87e122 
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
87e122 
index c4a8278..3f88eef 100644
87e122 
--- a/libarchive/archive_read_support_format_rar.c
87e122 
+++ b/libarchive/archive_read_support_format_rar.c
87e122 
@@ -2317,6 +2317,11 @@ parse_codes(struct archive_read *a)
87e122 
       new_size = DICTIONARY_MAX_SIZE;
87e122 
     else
87e122 
       new_size = rar_fls((unsigned int)rar->unp_size) << 1;
87e122 
+    if (new_size == 0) {
87e122 
+    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
87e122 
+                      "Zero window size is invalid.");
87e122 
+    return (ARCHIVE_FATAL);
87e122 
+    }
87e122 
     new_window = realloc(rar->lzss.window, new_size);
87e122 
     if (new_window == NULL) {
87e122 
       archive_set_error(&a->archive, ENOMEM,
87e122 
--
87e122 
2.17.1
87e122

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation