From aab73938f8914f0def6cdd5d5be3f142ae7c77f6 Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Tue, 3 Mar 2015 20:17:37 -0800
Subject: [PATCH] Issue 410: Segfault on invalid rar archive
Libarchive's API passes a void ** which is set by the format
to the address of the entry data that was just read.
In one particular case, the RAR decompression logic uses a
non-NULL value here to indicate that the internal 128k decompression
buffer has been filled. But the RAR code took no steps to ensure
that the value was set NULL on entry. As a result, a crafted RAR
file can trick libarchive into returning to the caller a 128k block
of data starting at whatever value was previously in the caller's
variable.
The fix is simply to set *buff = NULL on entry to the RAR
decompression logic.
---
libarchive/archive_read_support_format_rar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 3e7412f..ee8ce53 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -1002,8 +1002,8 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
rar->bytes_unconsumed = 0;
}
+ *buff = NULL;
if (rar->entry_eof || rar->offset_seek >= rar->unp_size) {
- *buff = NULL;
*size = 0;
*offset = rar->offset;
if (*offset < rar->unp_size)
--
2.7.4