From: Martin Matuška Date: Sun, 6 Feb 2022 18:35:30 +0000 (+0100) Subject: Merge pull request #1491 from antekone/rar5_ossfuzz_30442 X-Git-Tag: v3.5.3~2 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=05591dd516aa454e6d37fc55a2facac5f91355eb;p=thirdparty%2Flibarchive.git Merge pull request #1491 from antekone/rar5_ossfuzz_30442 RAR5 reader: fix invalid memory access in some files --- diff --git a/Makefile.am b/Makefile.am index 2b6bbb4b1..256266245 100644 --- a/Makefile.am +++ b/Makefile.am @@ -888,6 +888,7 @@ libarchive_test_EXTRA_DIST=\ libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ libarchive/test/test_read_format_raw.bufr.uu \ libarchive/test/test_read_format_raw.data.gz.uu \ libarchive/test/test_read_format_raw.data.Z.uu \ diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c index e46225759..63345f8f3 100644 --- a/libarchive/archive_read_support_format_rar5.c +++ b/libarchive/archive_read_support_format_rar5.c @@ -1730,14 +1730,29 @@ static int process_head_file(struct archive_read* a, struct rar5* rar, } } - /* If we're currently switching volumes, ignore the new definition of - * window_size. */ - if(rar->cstate.switch_multivolume == 0) { - /* Values up to 64M should fit into ssize_t on every - * architecture. */ - rar->cstate.window_size = (ssize_t) window_size; + if(rar->cstate.window_size < (ssize_t) window_size && + rar->cstate.window_buf) + { + /* If window_buf has been allocated before, reallocate it, so + * that its size will match new window_size. */ + + uint8_t* new_window_buf = + realloc(rar->cstate.window_buf, window_size); + + if(!new_window_buf) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER, + "Not enough memory when trying to realloc the window " + "buffer."); + return ARCHIVE_FATAL; + } + + rar->cstate.window_buf = new_window_buf; } + /* Values up to 64M should fit into ssize_t on every + * architecture. */ + rar->cstate.window_size = (ssize_t) window_size; + if(rar->file.solid > 0 && rar->file.solid_window_size == 0) { /* Solid files have to have the same window_size across whole archive. Remember the window_size parameter diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c index 07f6f31b3..74f843c75 100644 --- a/libarchive/test/test_read_format_rar5.c +++ b/libarchive/test/test_read_format_rar5.c @@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_different_window_size) EPILOGUE(); } +DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync) +{ + /* oss fuzz 30442 */ + + char buf[4096]; + PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar"); + + /* Return codes of those calls are ignored, because this sample file + * is invalid. However, the unpacker shouldn't produce any SIGSEGV + * errors during processing. */ + + (void) archive_read_next_header(a, &ae); + while(0 < archive_read_data(a, buf, 46)) {} + + EPILOGUE(); +} + DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary) { char buf[4096]; diff --git a/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu new file mode 100644 index 000000000..9e7d20ff6 --- /dev/null +++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu @@ -0,0 +1,11 @@ +begin 644 test_read_format_rar5_window_buf_and_size_desync.rar +M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1 +M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A +MP0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!DGNGIZ>8_^>GE/_``!. +` +end