From: Martin Matuska <martin@matuska.org>
Date: Sat, 19 Feb 2022 19:43:22 +0000 (+0100)
Subject: RAR reader: fix null-dereference in RAR (v4) filter code
X-Git-Tag: v3.6.1~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1271f775dc917798ad7d03c3b3bd66bacad03603;p=thirdparty%2Flibarchive.git

RAR reader: fix null-dereference in RAR (v4) filter code

Add safety check to run_filters() and fix return codes

Reported-by: OSS-Fuzz #44843
---

diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 388484a76..7a7318522 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -3328,20 +3328,25 @@ run_filters(struct archive_read *a)
   struct rar *rar = (struct rar *)(a->format->data);
   struct rar_filters *filters = &rar->filters;
   struct rar_filter *filter = filters->stack;
-  size_t start = filters->filterstart;
-  size_t end = start + filter->blocklength;
+  size_t start, end;
   int64_t tend;
   uint32_t lastfilteraddress;
   uint32_t lastfilterlength;
   int ret;
 
+  if (filters == NULL || filter == NULL)
+    return (0);
+
+  start = filters->filterstart;
+  end = start + filter->blocklength;
+
   filters->filterstart = INT64_MAX;
   tend = (int64_t)end;
   ret = expand(a, &tend);
   if (ret != ARCHIVE_OK)
-    return (ret);
+    return 0;
   if (tend < 0)
-    return (ARCHIVE_FATAL);
+    return 0;
   end = (size_t)tend;
   if (end != start + filter->blocklength)
     return 0;