rar: Avoid overwriting data at "end" of circular window buffer (#2124)

author Duncan Horn <40036384+dunhor@users.noreply.github.com>

Tue, 23 Apr 2024 06:25:39 +0000 (23:25 -0700)

committer GitHub <noreply@github.com>

Tue, 23 Apr 2024 06:25:39 +0000 (08:25 +0200)
author Duncan Horn <40036384+dunhor@users.noreply.github.com>
Tue, 23 Apr 2024 06:25:39 +0000 (23:25 -0700)
committer GitHub <noreply@github.com>
Tue, 23 Apr 2024 06:25:39 +0000 (08:25 +0200)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c

index 266d0ee9959a325728972bda92f09fb718e0836b..79669a8f40f9511d4e2a04e621d328136dace262 100644 (file)
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -2176,6 +2176,19 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
      {
        start = rar->offset;
        end = start + rar->dictionary_size;
+
+      /* We don't want to overflow the window and overwrite data that we write
+       * at 'start'. Therefore, reduce the end length by the maximum match size,
+       * which is 260 bytes. You can compute this maximum by looking at the
+       * definition of 'expand', in particular when 'symbol >= 271'. */
+      /* NOTE: It's possible for 'dictionary_size' to be less than this 260
+       * value, however that will only be the case when 'unp_size' is small,
+       * which should only happen when the entry size is small and there's no
+       * risk of overflowing the buffer */
+      if (rar->dictionary_size > 260) {
+        end -= 260;
+      }
+
        if (rar->filters.filterstart < end) {
          end = rar->filters.filterstart;
        }
author	Duncan Horn <40036384+dunhor@users.noreply.github.com>
	Tue, 23 Apr 2024 06:25:39 +0000 (23:25 -0700)
committer	GitHub <noreply@github.com>
	Tue, 23 Apr 2024 06:25:39 +0000 (08:25 +0200)