From d094dc02905605ca514baf87855f026b9bf52f1f Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 8 Feb 2015 13:29:51 -0800
Subject: [PATCH] Issue 405: segfault on malformed 7z archive

Reject a couple of nonsensical cases.
---
 Makefile.am                                   |  3 +
 libarchive/archive_read_support_format_7zip.c |  9 +++
 libarchive/test/CMakeLists.txt                |  1 +
 .../test_read_format_7zip_malformed.7z.uu     |  5 ++
 .../test/test_read_format_7zip_malformed.c    | 67 +++++++++++++++++++
 .../test_read_format_7zip_malformed2.7z.uu    |  5 ++
 6 files changed, 90 insertions(+)
 create mode 100644 libarchive/test/test_read_format_7zip_malformed.7z.uu
 create mode 100644 libarchive/test/test_read_format_7zip_malformed.c
 create mode 100644 libarchive/test/test_read_format_7zip_malformed2.7z.uu

diff --git a/Makefile.am b/Makefile.am
index b3bfd67ad..2e2755778 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -404,6 +404,7 @@ libarchive_test_SOURCES= \
 	libarchive/test/test_read_format_7zip_encryption_data.c \
 	libarchive/test/test_read_format_7zip_encryption_partially.c \
 	libarchive/test/test_read_format_7zip_encryption_header.c \
+	libarchive/test/test_read_format_7zip_malformed.c \
 	libarchive/test/test_read_format_ar.c \
 	libarchive/test/test_read_format_cab.c \
 	libarchive/test/test_read_format_cab_filename.c \
@@ -677,6 +678,8 @@ libarchive_test_EXTRA_DIST=\
 	libarchive/test/test_read_format_7zip_lzma1_2.7z.uu \
 	libarchive/test/test_read_format_7zip_lzma1_lzma2.7z.uu \
 	libarchive/test/test_read_format_7zip_lzma2.7z.uu \
+	libarchive/test/test_read_format_7zip_malformed.7z.uu \
+	libarchive/test/test_read_format_7zip_malformed2.7z.uu \
 	libarchive/test/test_read_format_7zip_ppmd.7z.uu \
 	libarchive/test/test_read_format_7zip_symbolic_name.7z.uu \
 	libarchive/test/test_read_format_ar.ar.uu \
diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
index 2183d8c8b..af267d043 100644
--- a/libarchive/archive_read_support_format_7zip.c
+++ b/libarchive/archive_read_support_format_7zip.c
@@ -2038,7 +2038,16 @@ read_CodersInfo(struct archive_read *a, struct _7z_coders_info *ci)
 			return (-1);
 		if (UMAX_ENTRY < ci->dataStreamIndex)
 			return (-1);
+		if (ci->numFolders > 0) {
+			archive_set_error(&a->archive, -1,
+			    "Malformed 7-Zip archive");
+			goto failed;
+		}
 		break;
+	default:
+		archive_set_error(&a->archive, -1,
+		    "Malformed 7-Zip archive");
+		goto failed;
 	}
 
 	if ((p = header_bytes(a, 1)) == NULL)
diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
index 366022f3b..aa639b423 100644
--- a/libarchive/test/CMakeLists.txt
+++ b/libarchive/test/CMakeLists.txt
@@ -94,6 +94,7 @@ IF(ENABLE_TEST)
     test_read_format_7zip_encryption_data.c
     test_read_format_7zip_encryption_header.c
     test_read_format_7zip_encryption_partially.c
+    test_read_format_7zip_malformed.c
     test_read_format_ar.c
     test_read_format_cab.c
     test_read_format_cab_filename.c
diff --git a/libarchive/test/test_read_format_7zip_malformed.7z.uu b/libarchive/test/test_read_format_7zip_malformed.7z.uu
new file mode 100644
index 000000000..179f633f9
--- /dev/null
+++ b/libarchive/test/test_read_format_7zip_malformed.7z.uu
@@ -0,0 +1,5 @@
+begin 644 test_read_format_7zip_malformed.7z
+M-WJ\KR<<,#"@P/<&!P````````!(`````````&:^$Y<P,#`P,#`P`00&``$)
+'!P`'"S`P#```
+`
+end
diff --git a/libarchive/test/test_read_format_7zip_malformed.c b/libarchive/test/test_read_format_7zip_malformed.c
new file mode 100644
index 000000000..4ca6f0913
--- /dev/null
+++ b/libarchive/test/test_read_format_7zip_malformed.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2003-2007 Tim Kientzle
+ * Copyright (c) 2011 Michihiro NAKAJIMA
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "test.h"
+__FBSDID("$FreeBSD$");
+
+static void
+test_malformed1(void)
+{
+	const char *refname = "test_read_format_7zip_malformed.7z";
+	struct archive *a;
+	struct archive_entry *ae;
+
+	extract_reference_file(refname);
+
+	assert((a = archive_read_new()) != NULL);
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, refname, 10240));
+	assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_free(a));
+}
+
+static void
+test_malformed2(void)
+{
+	const char *refname = "test_read_format_7zip_malformed2.7z";
+	struct archive *a;
+	struct archive_entry *ae;
+
+	extract_reference_file(refname);
+
+	assert((a = archive_read_new()) != NULL);
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, refname, 10240));
+	assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_free(a));
+}
+
+DEFINE_TEST(test_read_format_7zip_malformed)
+{
+	test_malformed1();
+	test_malformed2();
+}
diff --git a/libarchive/test/test_read_format_7zip_malformed2.7z.uu b/libarchive/test/test_read_format_7zip_malformed2.7z.uu
new file mode 100644
index 000000000..e629a78f5
--- /dev/null
+++ b/libarchive/test/test_read_format_7zip_malformed2.7z.uu
@@ -0,0 +1,5 @@
+begin 644 test_read_format_7zip_malformed2.7z
+M-WJ\KR<<,#"@P/<&!P````````!(`````````&:^$Y<P,#`P,#`P`00&``$)
+(!P`'"S`!#`P`
+`
+end
-- 
2.47.2