RAR reader: fix heap-use-after-free in run_filters()

author Martin Matuska <martin@matuska.org>

Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)

committer Martin Matuska <martin@matuska.org>

Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)
author Martin Matuska <martin@matuska.org>
Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)
committer Martin Matuska <martin@matuska.org>
Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c

index 7a7318522650aca265b8e71d99f5c393efbd0175..f9cbe2a8810d9d628a71d2d7c9646fa295b5aa92 100644 (file)
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3328,6 +3328,7 @@ run_filters(struct archive_read *a)
    struct rar *rar = (struct rar *)(a->format->data);
    struct rar_filters *filters = &rar->filters;
    struct rar_filter *filter = filters->stack;
+  struct rar_filter *f;
    size_t start, end;
    int64_t tend;
    uint32_t lastfilteraddress;
@@ -3345,6 +3346,22 @@ run_filters(struct archive_read *a)
    ret = expand(a, &tend);
    if (ret != ARCHIVE_OK)
      return 0;
+
+  /* Check if filter stack was modified in expand() */
+  ret = ARCHIVE_FATAL;
+  f = filters->stack;
+  while (f)
+  {
+    if (f == filter)
+    {
+      ret = ARCHIVE_OK;
+      break;
+    }
+    f = f->next;
+  }
+  if (ret != ARCHIVE_OK)
+    return 0;
+
    if (tend < 0)
      return 0;
    end = (size_t)tend;
author	Martin Matuska <martin@matuska.org>
	Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)
committer	Martin Matuska <martin@matuska.org>
	Sun, 3 Apr 2022 10:06:24 +0000 (12:06 +0200)