From 09e7b6b0ac73c620f8fcebef85dda0fc3a36a702 Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Fri, 5 Jul 2024 00:51:38 +0200
Subject: [PATCH] Fix multiple vulnerabilities identified by SAST (#2256)

I went through ~50 findings of SAST reports and identified a few of them
as true positives. I might still have missed some intended uses or some
magic in the code so please provide feedback if you think some of these
shouldn't be applied and why.

I explained the changes in the separate comments.
---
 libarchive/archive_ppmd8.c                     | 5 ++---
 libarchive/archive_read_append_filter.c        | 2 +-
 libarchive/archive_read_disk_entry_from_file.c | 1 +
 libarchive/archive_read_support_format_rar.c   | 9 ++++++---
 libarchive/archive_write_set_format_iso9660.c  | 2 +-
 tar/write.c                                    | 4 +++-
 6 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/libarchive/archive_ppmd8.c b/libarchive/archive_ppmd8.c
index d1779395d..bae597095 100644
--- a/libarchive/archive_ppmd8.c
+++ b/libarchive/archive_ppmd8.c
@@ -671,7 +671,7 @@ static CTX_PTR CreateSuccessors(CPpmd8 *p, Bool skip, CPpmd_State *s1, CTX_PTR c
     upState.Freq = (Byte)(1 + ((2 * cf <= s0) ? (5 * cf > s0) : ((cf + 2 * s0 - 3) / s0)));
   }
 
-  do
+  while (numPs != 0)
   {
     /* Create Child */
     CTX_PTR c1; /* = AllocContext(p); */
@@ -692,8 +692,7 @@ static CTX_PTR CreateSuccessors(CPpmd8 *p, Bool skip, CPpmd_State *s1, CTX_PTR c
     SetSuccessor(ps[--numPs], REF(c1));
     c = c1;
   }
-  while (numPs != 0);
-  
+
   return c;
 }
 
diff --git a/libarchive/archive_read_append_filter.c b/libarchive/archive_read_append_filter.c
index 74eead83e..59ea5c442 100644
--- a/libarchive/archive_read_append_filter.c
+++ b/libarchive/archive_read_append_filter.c
@@ -111,7 +111,7 @@ archive_read_append_filter(struct archive *_a, int code)
     number_bidders = sizeof(a->bidders) / sizeof(a->bidders[0]);
 
     bidder = a->bidders;
-    for (i = 0; i < number_bidders; i++, bidder++)
+    for (i = 1; i < number_bidders; i++, bidder++)
     {
       if (!bidder->name || !strcmp(bidder->name, str))
         break;
diff --git a/libarchive/archive_read_disk_entry_from_file.c b/libarchive/archive_read_disk_entry_from_file.c
index d89f43555..3a4915eff 100644
--- a/libarchive/archive_read_disk_entry_from_file.c
+++ b/libarchive/archive_read_disk_entry_from_file.c
@@ -520,6 +520,7 @@ setup_xattr(struct archive_read_disk *a,
 	if (size == -1) {
 		archive_set_error(&a->archive, errno,
 		    "Couldn't read extended attribute");
+		free(value);
 		return (ARCHIVE_WARN);
 	}
 
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index 93d738a5c..fb7cfde7b 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -2983,7 +2983,7 @@ expand(struct archive_read *a, int64_t *end)
 
       if ((lensymbol = read_next_symbol(a, &rar->lengthcode)) < 0)
         goto bad_data;
-      if (lensymbol > lengthb_min)
+      if (lensymbol >= lengthb_min)
         goto bad_data;
       len = lengthbases[lensymbol] + 2;
       if (lengthbits[lensymbol] > 0) {
@@ -3015,7 +3015,7 @@ expand(struct archive_read *a, int64_t *end)
     }
     else
     {
-      if (symbol-271 > lengthb_min)
+      if (symbol-271 >= lengthb_min)
         goto bad_data;
       len = lengthbases[symbol-271]+3;
       if(lengthbits[symbol-271] > 0) {
@@ -3027,7 +3027,7 @@ expand(struct archive_read *a, int64_t *end)
 
       if ((offssymbol = read_next_symbol(a, &rar->offsetcode)) < 0)
         goto bad_data;
-      if (offssymbol > offsetb_min)
+      if (offssymbol >= offsetb_min)
         goto bad_data;
       offs = offsetbases[offssymbol]+1;
       if(offsetbits[offssymbol] > 0)
@@ -3361,7 +3361,10 @@ create_filter(struct rar_program_code *prog, const uint8_t *globaldata, uint32_t
   filter->globaldatalen = globaldatalen > PROGRAM_SYSTEM_GLOBAL_SIZE ? globaldatalen : PROGRAM_SYSTEM_GLOBAL_SIZE;
   filter->globaldata = calloc(1, filter->globaldatalen);
   if (!filter->globaldata)
+  {
+    free(filter);
     return NULL;
+  }
   if (globaldata)
     memcpy(filter->globaldata, globaldata, globaldatalen);
   if (registers)
diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c
index 2a3ae07fa..a77ea7708 100644
--- a/libarchive/archive_write_set_format_iso9660.c
+++ b/libarchive/archive_write_set_format_iso9660.c
@@ -2237,7 +2237,7 @@ set_str_utf16be(struct archive_write *a, unsigned char *p, const char *s,
 	int onepad;
 
 	if (s == NULL)
-		s = "";
+		s = "\0\0";
 	if (l & 0x01) {
 		onepad = 1;
 		l &= ~1;
diff --git a/tar/write.c b/tar/write.c
index 5c7b13ae6..1d1139f4c 100644
--- a/tar/write.c
+++ b/tar/write.c
@@ -942,7 +942,9 @@ write_hierarchy(struct bsdtar *bsdtar, struct archive *a, const char *path)
 
 		while (entry != NULL) {
 			write_file(bsdtar, a, entry);
-			archive_entry_free(entry);
+			if (entry != spare_entry) {
+				archive_entry_free(entry);
+			}
 			entry = spare_entry;
 			spare_entry = NULL;
 		}
-- 
2.47.2