rar: Fix out ouf boundary access with large files (#2179)

If a header has the FHD_LARGE flag set, it is not verified that enough
bytes have been read. Check boundaries before accessing the additional
bytes.

diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 5776df4bd944c3405e3753fc51986df15c9dcbaf..c8725bcae4edc28e92082e91d3c1d1a46dd5678f 100644 (file)
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -1469,6 +1469,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
 
   if (rar->file_flags & FHD_LARGE)
   {
+    if (p + 8 > endp) {
+      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                        "Invalid header size");
+      return (ARCHIVE_FATAL);
+    }
     memcpy(packed_size, file_header.pack_size, 4);
     memcpy(packed_size + 4, p, 4); /* High pack size */
     p += 4;