From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 15 May 2026 15:08:55 +0000 (+0200)
Subject: read: Fix memory corruption in client_switch_proxy
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=effba1c8cb919b38e9d279b0aabc7262eeb400d3;p=thirdparty%2Flibarchive.git

read: Fix memory corruption in client_switch_proxy

Switching a multi-volume archive file with another active filter, e.g.
decompression, can lead to memory corruption due to modifying the wrong
private data (self->data).

Use highest upstream filter to replace the correct private data.

Resolves GHSA-qf8j-cq3h-8m2m.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
index dc42eb175..2bc386f06 100644
--- a/libarchive/archive_read.c
+++ b/libarchive/archive_read.c
@@ -255,10 +255,14 @@ client_close_proxy(struct archive_read_filter *self)
 static int
 client_switch_proxy(struct archive_read_filter *self, unsigned int iindex)
 {
-	struct archive_read *a = self->archive;
+	struct archive_read *a;
 	int r1 = ARCHIVE_OK, r2 = ARCHIVE_OK;
 	void *data2;
 
+	while (self->upstream != NULL)
+		self = self->upstream;
+	a = self->archive;
+
 	/* Don't do anything if already in the specified data node */
 	if (a->client.cursor == iindex)
 		return (ARCHIVE_OK);