37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
|
|
From: Wei-Cheng Pan <legnaleurc@gmail.com>
|
|
Date: Mon, 29 Apr 2024 06:50:22 +0900
|
|
Subject: [PATCH] fix: OOB in rar delta filter (#2148)
|
|
|
|
Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
|
|
Since `dst` won't move in this function, and we are only increasing `src`
|
|
position, this check should be enough. It should be safe to early return
|
|
because this function does not allocate resources.
|
|
---
|
|
libarchive/archive_read_support_format_rar.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
index 79669a8f..619ee81e 100644
|
|
--- a/libarchive/archive_read_support_format_rar.c
|
|
+++ b/libarchive/archive_read_support_format_rar.c
|
|
@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
|
|
{
|
|
uint8_t lastbyte = 0;
|
|
for (idx = i; idx < length; idx += numchannels)
|
|
+ {
|
|
+ /*
|
|
+ * The src block should not overlap with the dst block.
|
|
+ * If so it would be better to consider this archive is broken.
|
|
+ */
|
|
+ if (src >= dst)
|
|
+ return 0;
|
|
lastbyte = dst[idx] = lastbyte - *src++;
|
|
+ }
|
|
}
|
|
|
|
filter->filteredblockaddress = length;
|
|
--
|
|
2.46.2
|
|
|