]> git.ipfire.org Git - thirdparty/libarchive.git/commitdiff
projects / thirdparty / libarchive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 515380e)
read: Fix memory corruption in client_switch_proxy
authorTobias Stoeckmann <tobias@stoeckmann.org>
Fri, 15 May 2026 15:08:55 +0000 (17:08 +0200)
committerTobias Stoeckmann <tobias@stoeckmann.org>
Fri, 15 May 2026 16:43:09 +0000 (18:43 +0200)
Switching a multi-volume archive file with another active filter, e.g.
decompression, can lead to memory corruption due to modifying the wrong
private data (self->data).

Use highest upstream filter to replace the correct private data.

Resolves GHSA-qf8j-cq3h-8m2m.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
libarchive/archive_read.c patch | blob | blame | history

diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
index dc42eb1756a26dde886aad4028267759a192ebd8..2bc386f06305a5a4e81cedd19dbe458a906914ad 100644 (file)
--- a/libarchive/archive_read.c
+++ b/libarchive/archive_read.c
@@ -255,10 +255,14 @@ client_close_proxy(struct archive_read_filter *self)
 static int
 client_switch_proxy(struct archive_read_filter *self, unsigned int iindex)
 {
-       struct archive_read *a = self->archive;
+       struct archive_read *a;
        int r1 = ARCHIVE_OK, r2 = ARCHIVE_OK;
        void *data2;
 
+       while (self->upstream != NULL)
+               self = self->upstream;
+       a = self->archive;
+
        /* Don't do anything if already in the specified data node */
        if (a->client.cursor == iindex)
                return (ARCHIVE_OK);
Mirror of https://github.com/libarchive/libarchive.git