diff options
author | Grzegorz Antoniak <ga@anadoxin.org> | 2021-02-12 20:18:31 +0100 |
---|---|---|
committer | Grzegorz Antoniak <ga@anadoxin.org> | 2022-02-06 18:36:23 +0100 |
commit | 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f (patch) | |
tree | 709d45424a7a57dfbf6fff79ea38691ee9f8c6f8 /Makefile.am | |
parent | 404873ce40a06f4ff05f76ecbc139a8fabb32d7c (diff) | |
download | libarchive-17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f.tar.gz |
RAR5 reader: fix invalid memory access in some files
RAR5 reader uses several variables to manage the window buffer during
extraction: the buffer itself (`window_buf`), the current size of the
window buffer (`window_size`), and a helper variable (`window_mask`)
that is used to constrain read and write offsets to the window buffer.
Some specially crafted files can force the unpacker to update the
`window_mask` variable to a value that is out of sync with current
buffer size. If the `window_mask` will be bigger than the actual buffer
size, then an invalid access operation can happen (SIGSEGV).
This commit ensures that if the `window_size` and `window_mask` will be
changed, the window buffer will be reallocated to the proper size, so no
invalid memory operation should be possible.
This commit contains a test file from OSSFuzz #30442.
Diffstat (limited to 'Makefile.am')
-rw-r--r-- | Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index 7d75ef92..1523c539 100644 --- a/Makefile.am +++ b/Makefile.am @@ -894,6 +894,7 @@ libarchive_test_EXTRA_DIST=\ libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \ libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \ + libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \ libarchive/test/test_read_format_raw.bufr.uu \ libarchive/test/test_read_format_raw.data.gz.uu \ libarchive/test/test_read_format_raw.data.Z.uu \ |