From: Michihiro NAKAJIMA Date: Mon, 8 Aug 2011 11:08:54 +0000 (-0400) Subject: Sanity check to a copy length of decoded data in order not to cause X-Git-Tag: v3.0.0a~172 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4568720b19a6fb5cc112c3caa490ff76ff9940bd;p=thirdparty%2Flibarchive.git Sanity check to a copy length of decoded data in order not to cause a segmentation fault when reading a broken RAR file. SVN-Revision: 3564 --- diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c index c34f12891..974c881db 100644 --- a/libarchive/archive_read_support_format_rar.c +++ b/libarchive/archive_read_support_format_rar.c @@ -2218,6 +2218,11 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer, else { firstpart = lzss_size(&rar->lzss) - windowoffs; + if (firstpart < 0) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Bad RAR file data"); + return (ARCHIVE_FAILED); + } memcpy(&rar->unp_buffer[0], &rar->lzss.window[windowoffs], firstpart); memcpy(&rar->unp_buffer[firstpart], &rar->lzss.window[0], length - firstpart);