Merge pull request #1493 from antekone/rar5_ossfuzz_30459

author Martin Matuška <martin@matuska.org>

Tue, 8 Feb 2022 07:16:45 +0000 (08:16 +0100)

committer Martin Matuska <martin@matuska.org>

Tue, 8 Feb 2022 07:18:03 +0000 (08:18 +0100)
author Martin Matuška <martin@matuska.org>
Tue, 8 Feb 2022 07:16:45 +0000 (08:16 +0100)
committer Martin Matuska <martin@matuska.org>
Tue, 8 Feb 2022 07:18:03 +0000 (08:18 +0100)
diff --git a/Makefile.am b/Makefile.am

index 2562662451ba64dfeec196a2b2196771a31d15bd..103773c74f502991cf7183cf0a06858860a837f3 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -889,6 +889,7 @@ libarchive_test_EXTRA_DIST=\
         libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
         libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
         libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
+       libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
         libarchive/test/test_read_format_raw.bufr.uu \
         libarchive/test/test_read_format_raw.data.gz.uu \
         libarchive/test/test_read_format_raw.data.Z.uu \
diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c

index 63345f8f3553f8afda91cfc452bc91ed2aa565b2..734d62faf1c34e0e01c340c2f463c40f001e73bd 100644 (file)
--- a/libarchive/archive_read_support_format_rar5.c
+++ b/libarchive/archive_read_support_format_rar5.c
@@ -3631,6 +3631,16 @@ static int do_uncompress_file(struct archive_read* a) {
                 rar->cstate.initialized = 1;
         }
  
+       /* Don't allow extraction if window_size is invalid. */
+       if(rar->cstate.window_size == 0) {
+               archive_set_error(&a->archive,
+                       ARCHIVE_ERRNO_FILE_FORMAT,
+                       "Invalid window size declaration in this file");
+
+               /* This should never happen in valid files. */
+               return ARCHIVE_FATAL;
+       }
+
         if(rar->cstate.all_filters_applied == 1) {
                 /* We use while(1) here, but standard case allows for just 1
                  * iteration. The loop will iterate if process_block() didn't
diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c

index 74f843c75f87091a3e8c6a4e5b358c0469cc4abe..11f6c158b65369588534ee7ab8d8af95bfed06b5 100644 (file)
--- a/libarchive/test/test_read_format_rar5.c
+++ b/libarchive/test/test_read_format_rar5.c
@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read)
  
         EPILOGUE();
  }
+
+DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
+{
+       /* oss fuzz 30459 */
+
+       char buf[4096];
+       PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
+
+       /* This file is damaged, so those functions should return failure.
+        * Additionally, SIGSEGV shouldn't be raised during execution
+        * of those functions. */
+
+       (void) archive_read_next_header(a, &ae);
+       while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+       (void) archive_read_next_header(a, &ae);
+       while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+
+       EPILOGUE();
+}
+\ No newline at end of file
diff --git a/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu b/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu

new file mode 100644 (file)

index 0000000..7684bc1
--- /dev/null
+++ b/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
@@ -0,0 +1,7 @@
+begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
+M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
+M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
+M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
+5$"`OX2`@[.SL[.S_("`@("`@("`@
+`
+end
author	Martin Matuška <martin@matuska.org>
	Tue, 8 Feb 2022 07:16:45 +0000 (08:16 +0100)
committer	Martin Matuska <martin@matuska.org>
	Tue, 8 Feb 2022 07:18:03 +0000 (08:18 +0100)
Makefile.am		patch \| blob \| blame \| history
libarchive/archive_read_support_format_rar5.c		patch \| blob \| blame \| history
libarchive/test/test_read_format_rar5.c		patch \| blob \| blame \| history
libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu	[new file with mode: 0644]	patch \| blob