e07076c926
Fixes the following security issue: - CVE-2019-18408: archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60 Mon Sep 17 00:00:00 2001
|
|
From: Martin Matuska <martin@matuska.org>
|
|
Date: Sat, 11 May 2019 02:36:53 +0200
|
|
Subject: [PATCH] RAR reader: fix use after free
|
|
|
|
If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed
|
|
to continue with next archive headers. We need to set rar->start_new_table
|
|
after the ppmd7_context got freed, otherwise it won't be allocated again.
|
|
|
|
Reported by: OSS-Fuzz issue 2582
|
|
|
|
[Peter: fixes CVE-2019-18408]
|
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
---
|
|
libarchive/archive_read_support_format_rar.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
index a8cc5c94..49360876 100644
|
|
--- a/libarchive/archive_read_support_format_rar.c
|
|
+++ b/libarchive/archive_read_support_format_rar.c
|
|
@@ -1024,8 +1024,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
|
|
case COMPRESS_METHOD_GOOD:
|
|
case COMPRESS_METHOD_BEST:
|
|
ret = read_data_compressed(a, buff, size, offset);
|
|
- if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
|
|
+ if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
|
|
__archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context);
|
|
+ rar->start_new_table = 1;
|
|
+ }
|
|
break;
|
|
|
|
default:
|
|
--
|
|
2.20.1
|
|
|