--- /dev/null
+From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:53:19 +0900
+Subject: [PATCH] fix: OOB in rar audio filter (#2149)
+
+This patch ensures that `src` won't move ahead of `dst`, so `src` will
+not OOB. Similar situation like in a1cb648.
+
+CVE: CVE-2024-48957
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libarchive/archive_read_support_format_rar.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 619ee81e2..4fc6626ca 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+ memset(&state, 0, sizeof(state));
+ for (j = i; j < length; j += numchannels)
+ {
++ /*
++ * The src block should not overlap with the dst block.
++ * If so it would be better to consider this archive is broken.
++ */
++ if (src >= dst)
++ return 0;
++
+ int8_t delta = (int8_t)*src++;
+ uint8_t predbyte, byte;
+ int prederror;
--- /dev/null
+From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:50:22 +0900
+Subject: [PATCH] fix: OOB in rar delta filter (#2148)
+
+Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
+Since `dst` won't move in this function, and we are only increasing `src`
+position, this check should be enough. It should be safe to early return
+because this function does not allocate resources.
+
+CVE: CVE-2024-48958
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 79669a8f4..619ee81e2 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+ {
+ uint8_t lastbyte = 0;
+ for (idx = i; idx < length; idx += numchannels)
++ {
++ /*
++ * The src block should not overlap with the dst block.
++ * If so it would be better to consider this archive is broken.
++ */
++ if (src >= dst)
++ return 0;
+ lastbyte = dst[idx] = lastbyte - *src++;
++ }
+ }
+
+ filter->filteredblockaddress = length;
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
file://CVE-2024-26256.patch \
+ file://CVE-2024-48957.patch \
+ file://CVE-2024-48958.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
