git.ipfire.org Git - thirdparty/libarchive.git/commit

author	Grzegorz Antoniak <ga@anadoxin.org>
	Fri, 12 Feb 2021 19:18:31 +0000 (20:18 +0100)
committer	Grzegorz Antoniak <ga@anadoxin.org>
	Sun, 6 Feb 2022 17:36:23 +0000 (18:36 +0100)
commit	17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
tree	709d45424a7a57dfbf6fff79ea38691ee9f8c6f8	tree
parent	404873ce40a06f4ff05f76ecbc139a8fabb32d7c	commit \| diff

RAR5 reader: fix invalid memory access in some files

RAR5 reader uses several variables to manage the window buffer during
extraction: the buffer itself (`window_buf`), the current size of the
window buffer (`window_size`), and a helper variable (`window_mask`)
that is used to constrain read and write offsets to the window buffer.

Some specially crafted files can force the unpacker to update the
`window_mask` variable to a value that is out of sync with current
buffer size. If the `window_mask` will be bigger than the actual buffer
size, then an invalid access operation can happen (SIGSEGV).

This commit ensures that if the `window_size` and `window_mask` will be
changed, the window buffer will be reallocated to the proper size, so no
invalid memory operation should be possible.

This commit contains a test file from OSSFuzz #30442.

Makefile.am		diff \| blob \| blame \| history
libarchive/archive_read_support_format_rar5.c		diff \| blob \| blame \| history
libarchive/test/test_read_format_rar5.c		diff \| blob \| blame \| history
libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu	[new file with mode: 0644]	blob