diff options
author | Martin Matuska <mm@FreeBSD.org> | 2022-04-03 11:44:32 +0000 |
---|---|---|
committer | Martin Matuska <mm@FreeBSD.org> | 2022-04-03 11:44:32 +0000 |
commit | d0dbd88ba9852a848ed29bba8b4147b09367e93d (patch) | |
tree | c516f481713456dab2aa8566f1ed3028210a4493 | |
parent | b36466f05a59c7b508ed5c1952079a3769d686b8 (diff) | |
download | src-d0dbd88ba9852a848ed29bba8b4147b09367e93d.tar.gz src-d0dbd88ba9852a848ed29bba8b4147b09367e93d.zip |
Update vendor/libarchive to libarchive/libarchive@db7145537
Bugfixes:
IS #1685 and OSS-Fuzz #38764:
(ISO reader) fix possible heap buffer overflow in read_children()
IS #1715 and OSS-Fuzz #46279:
(RARv4 reader) fix heap-use-after-free in run_filters()
Obtained from: libarchive
Libarchive commit: db714553712debbc447383f735e022031dc13127
-rw-r--r-- | libarchive/archive_read_support_format_iso9660.c | 3 | ||||
-rw-r--r-- | libarchive/archive_read_support_format_rar.c | 17 |
2 files changed, 19 insertions, 1 deletions
diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c index db14d41dff45..cd7f92f464d6 100644 --- a/libarchive/archive_read_support_format_iso9660.c +++ b/libarchive/archive_read_support_format_iso9660.c @@ -1007,7 +1007,8 @@ read_children(struct archive_read *a, struct file_info *parent) p = b; b += iso9660->logical_block_size; step -= iso9660->logical_block_size; - for (; *p != 0 && p < b && p + *p <= b; p += *p) { + for (; *p != 0 && p + DR_name_offset < b && p + *p <= b; + p += *p) { struct file_info *child; /* N.B.: these special directory identifiers diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c index 7a7318522650..f9cbe2a8810d 100644 --- a/libarchive/archive_read_support_format_rar.c +++ b/libarchive/archive_read_support_format_rar.c @@ -3328,6 +3328,7 @@ run_filters(struct archive_read *a) struct rar *rar = (struct rar *)(a->format->data); struct rar_filters *filters = &rar->filters; struct rar_filter *filter = filters->stack; + struct rar_filter *f; size_t start, end; int64_t tend; uint32_t lastfilteraddress; @@ -3345,6 +3346,22 @@ run_filters(struct archive_read *a) ret = expand(a, &tend); if (ret != ARCHIVE_OK) return 0; + + /* Check if filter stack was modified in expand() */ + ret = ARCHIVE_FATAL; + f = filters->stack; + while (f) + { + if (f == filter) + { + ret = ARCHIVE_OK; + break; + } + f = f->next; + } + if (ret != ARCHIVE_OK) + return 0; + if (tend < 0) return 0; end = (size_t)tend; |