Reject filters when the block length is nonsensical

author Tim Kientzle <kientzle@acm.org>

Mon, 2 Mar 2026 04:24:56 +0000 (20:24 -0800)

committer Tim Kientzle <kientzle@acm.org>

Tue, 10 Mar 2026 02:26:51 +0000 (19:26 -0700)
author Tim Kientzle <kientzle@acm.org>
Mon, 2 Mar 2026 04:24:56 +0000 (20:24 -0800)
committer Tim Kientzle <kientzle@acm.org>
Tue, 10 Mar 2026 02:26:51 +0000 (19:26 -0700)
diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c

index ad48bfab67e06aa1552f3ad33221f78718974277..778537be93e53af9beb4d849b4601f7512e50170 100644 (file)
--- a/libarchive/archive_read_support_format_rar5.c
+++ b/libarchive/archive_read_support_format_rar5.c
@@ -3044,7 +3044,9 @@ static int parse_filter(struct archive_read* ar, const uint8_t* p) {
         if(block_length < 4 ||
             block_length > 0x400000 ||
             filter_type > FILTER_ARM ||
-           !is_valid_filter_block_start(rar, block_start))
+           !is_valid_filter_block_start(rar, block_start) ||
+           (rar->cstate.window_size > 0 &&
+            (ssize_t)block_length > rar->cstate.window_size >> 1))
         {
                 archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT,
                     "Invalid filter encountered");
author	Tim Kientzle <kientzle@acm.org>
	Mon, 2 Mar 2026 04:24:56 +0000 (20:24 -0800)
committer	Tim Kientzle <kientzle@acm.org>
	Tue, 10 Mar 2026 02:26:51 +0000 (19:26 -0700)