diff options
| author | Martin Matuška <martin@matuska.org> | 2022-02-08 08:16:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-08 08:16:45 +0100 |
| commit | 52224ebc2422245f463829aae86df204d858717b (patch) | |
| tree | d09a28337096aa6d43b3ea8b5fd4a4ee2a912105 /libarchive | |
| parent | 2a149c9b9804b8208db501b318743c74c27ea30b (diff) | |
| parent | 313bcd7ac547f7cc25945831f63507420c0874d7 (diff) | |
| download | libarchive-52224ebc2422245f463829aae86df204d858717b.tar.gz | |
Merge pull request #1493 from antekone/rar5_ossfuzz_30459
RAR5 reader: add more checks for invalid extraction parameters
Diffstat (limited to 'libarchive')
| -rw-r--r-- | libarchive/archive_read_support_format_rar5.c | 10 | ||||
| -rw-r--r-- | libarchive/test/test_read_format_rar5.c | 19 | ||||
| -rw-r--r-- | libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 |
3 files changed, 36 insertions, 0 deletions
diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c index 880ba661..a3cfa72e 100644 --- a/libarchive/archive_read_support_format_rar5.c +++ b/libarchive/archive_read_support_format_rar5.c @@ -3731,6 +3731,16 @@ static int do_uncompress_file(struct archive_read* a) { rar->cstate.initialized = 1; } + /* Don't allow extraction if window_size is invalid. */ + if(rar->cstate.window_size == 0) { + archive_set_error(&a->archive, + ARCHIVE_ERRNO_FILE_FORMAT, + "Invalid window size declaration in this file"); + + /* This should never happen in valid files. */ + return ARCHIVE_FATAL; + } + if(rar->cstate.all_filters_applied == 1) { /* We use while(1) here, but standard case allows for just 1 * iteration. The loop will iterate if process_block() didn't diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c index 414401a1..acc90510 100644 --- a/libarchive/test/test_read_format_rar5.c +++ b/libarchive/test/test_read_format_rar5.c @@ -1328,3 +1328,22 @@ DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read) EPILOGUE(); } + +DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file) +{ + /* oss fuzz 30459 */ + + char buf[4096]; + PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar"); + + /* This file is damaged, so those functions should return failure. + * Additionally, SIGSEGV shouldn't be raised during execution + * of those functions. */ + + (void) archive_read_next_header(a, &ae); + while(0 < archive_read_data(a, buf, sizeof(buf))) {} + (void) archive_read_next_header(a, &ae); + while(0 < archive_read_data(a, buf, sizeof(buf))) {} + + EPILOGUE(); +}
\ No newline at end of file diff --git a/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu b/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu new file mode 100644 index 00000000..7684bc19 --- /dev/null +++ b/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu @@ -0,0 +1,7 @@ +begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar +M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@ +M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@ +M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+ +5$"`OX2`@[.SL[.S_("`@("`@("`@ +` +end |