Fix multiple vulnerabilities identified by SAST (#2256)

I went through ~50 findings of SAST reports and identified a few of them
as true positives. I might still have missed some intended uses or some
magic in the code so please provide feedback if you think some of these
shouldn't be applied and why.

I explained the changes in the separate comments.

diff --git a/libarchive/archive_ppmd8.c b/libarchive/archive_ppmd8.c
index d1779395dac5546f2e8f26cc6967eff49cbe280f..bae5970957115648017bb2815b11c14269529308 100644 (file)
--- a/libarchive/archive_ppmd8.c
+++ b/libarchive/archive_ppmd8.c
@@ -671,7 +671,7 @@ static CTX_PTR CreateSuccessors(CPpmd8 *p, Bool skip, CPpmd_State *s1, CTX_PTR c
     upState.Freq = (Byte)(1 + ((2 * cf <= s0) ? (5 * cf > s0) : ((cf + 2 * s0 - 3) / s0)));
   }
 
-  do
+  while (numPs != 0)
   {
     /* Create Child */
     CTX_PTR c1; /* = AllocContext(p); */
@@ -692,8 +692,7 @@ static CTX_PTR CreateSuccessors(CPpmd8 *p, Bool skip, CPpmd_State *s1, CTX_PTR c
     SetSuccessor(ps[--numPs], REF(c1));
     c = c1;
   }
-  while (numPs != 0);
-  
+
   return c;
 }
 

diff --git a/libarchive/archive_read_append_filter.c b/libarchive/archive_read_append_filter.c
index 74eead83e0e7657502d5c517d5a0270086a2dbf5..59ea5c4422dc7c55a82b8a34b655bb09bd6c495c 100644 (file)
--- a/libarchive/archive_read_append_filter.c
+++ b/libarchive/archive_read_append_filter.c
@@ -111,7 +111,7 @@ archive_read_append_filter(struct archive *_a, int code)
     number_bidders = sizeof(a->bidders) / sizeof(a->bidders[0]);
 
     bidder = a->bidders;
-    for (i = 0; i < number_bidders; i++, bidder++)
+    for (i = 1; i < number_bidders; i++, bidder++)
     {
       if (!bidder->name || !strcmp(bidder->name, str))
         break;

diff --git a/libarchive/archive_read_disk_entry_from_file.c b/libarchive/archive_read_disk_entry_from_file.c
index d89f435554f6391eae7fe1d67b58b08f5381e37d..3a4915eff4064407dc3945f82b65bc6e4f0b41e5 100644 (file)
--- a/libarchive/archive_read_disk_entry_from_file.c
+++ b/libarchive/archive_read_disk_entry_from_file.c
@@ -520,6 +520,7 @@ setup_xattr(struct archive_read_disk *a,
        if (size == -1) {
                archive_set_error(&a->archive, errno,
                    "Couldn't read extended attribute");
+               free(value);
                return (ARCHIVE_WARN);
        }
 

diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 93d738a5caa447246d7a8999eab98b32569c14a7..fb7cfde7b73a1f0d165d2becb025a5898ccefe2d 100644 (file)
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -2983,7 +2983,7 @@ expand(struct archive_read *a, int64_t *end)
 
       if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
         goto bad_data;
-      if (lensymbol > lengthb_min)
+      if (lensymbol >= lengthb_min)
         goto bad_data;
       len = lengthbases[lensymbol] + 2;
       if (lengthbits[lensymbol] > 0) {
@@ -3015,7 +3015,7 @@ expand(struct archive_read *a, int64_t *end)
     }
     else
     {
-      if (symbol-271 > lengthb_min)
+      if (symbol-271 >= lengthb_min)
         goto bad_data;
       len = lengthbases[symbol-271]+3;
       if(lengthbits[symbol-271] > 0) {
@@ -3027,7 +3027,7 @@ expand(struct archive_read *a, int64_t *end)
 
       if ((offssymbol = read_next_symbol(a, &rar->offsetcode)) < 0)
         goto bad_data;
-      if (offssymbol > offsetb_min)
+      if (offssymbol >= offsetb_min)
         goto bad_data;
       offs = offsetbases[offssymbol]+1;
       if(offsetbits[offssymbol] > 0)
@@ -3361,7 +3361,10 @@ create_filter(struct rar_program_code *prog, const uint8_t *globaldata, uint32_t
   filter->globaldatalen = globaldatalen > PROGRAM_SYSTEM_GLOBAL_SIZE ? globaldatalen : PROGRAM_SYSTEM_GLOBAL_SIZE;
   filter->globaldata = calloc(1, filter->globaldatalen);
   if (!filter->globaldata)
+  {
+    free(filter);
     return NULL;
+  }
   if (globaldata)
     memcpy(filter->globaldata, globaldata, globaldatalen);
   if (registers)

diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c
index 2a3ae07fa2b277d25f0af440638b61153d5c783e..a77ea7708b4bb063ff555e54182110f8c8ed46e5 100644 (file)
--- a/libarchive/archive_write_set_format_iso9660.c
+++ b/libarchive/archive_write_set_format_iso9660.c
@@ -2237,7 +2237,7 @@ set_str_utf16be(struct archive_write *a, unsigned char *p, const char *s,
        int onepad;
 
        if (s == NULL)
-               s = "";
+               s = "\0\0";
        if (l & 0x01) {
                onepad = 1;
                l &= ~1;

diff --git a/tar/write.c b/tar/write.c
index 5c7b13ae682f1cc8b1e863bdae2d0151a79503dc..1d1139f4cde5c6ee588d749c2d90ce2068fb7aa8 100644 (file)
--- a/tar/write.c
+++ b/tar/write.c
@@ -942,7 +942,9 @@ write_hierarchy(struct bsdtar *bsdtar, struct archive *a, const char *path)
 
                while (entry != NULL) {
                        write_file(bsdtar, a, entry);
-                       archive_entry_free(entry);
+                       if (entry != spare_entry) {
+                               archive_entry_free(entry);
+                       }
                        entry = spare_entry;
                        spare_entry = NULL;
                }