1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
From: Grzegorz Antoniak <ga@anadoxin.org>
Date: Sat, 13 Feb 2021 10:13:22 +0100
Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
parameters
Some specially crafted files declare invalid extraction parameters that
can confuse the RAR5 reader.
One of the arguments is the declared window size parameter that the
archive file can declare for each file stored in the archive. Some
crafted files declare window size equal to 0, which is clearly wrong.
This commit adds additional safety checks decreasing the tolerance of
the RAR5 format.
This commit also contains OSSFuzz sample #30459.
---
Makefile.am | 1 +
libarchive/archive_read_support_format_rar5.c | 10 ++++++++++
libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++
...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++
4 files changed, 37 insertions(+)
create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
CVE: CVE-2021-36976
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
--- libarchive-3.4.2.orig/Makefile.am
+++ libarchive-3.4.2/Makefile.am
@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
+ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
libarchive/test/test_read_format_raw.bufr.uu \
libarchive/test/test_read_format_raw.data.gz.uu \
libarchive/test/test_read_format_raw.data.Z.uu \
--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
+++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
rar->cstate.initialized = 1;
}
+ /* Don't allow extraction if window_size is invalid. */
+ if(rar->cstate.window_size == 0) {
+ archive_set_error(&a->archive,
+ ARCHIVE_ERRNO_FILE_FORMAT,
+ "Invalid window size declaration in this file");
+
+ /* This should never happen in valid files. */
+ return ARCHIVE_FATAL;
+ }
+
if(rar->cstate.all_filters_applied == 1) {
/* We use while(1) here, but standard case allows for just 1
* iteration. The loop will iterate if process_block() didn't
--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
EPILOGUE();
}
+
+DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
+{
+ /* oss fuzz 30459 */
+
+ char buf[4096];
+ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
+
+ /* This file is damaged, so those functions should return failure.
+ * Additionally, SIGSEGV shouldn't be raised during execution
+ * of those functions. */
+
+ (void) archive_read_next_header(a, &ae);
+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+ (void) archive_read_next_header(a, &ae);
+ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
+
+ EPILOGUE();
+}
--- /dev/null
+++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
@@ -0,0 +1,7 @@
+begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
+M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
+M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
+M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
+5$"`OX2`@[.SL[.S_("`@("`@("`@
+`
+end
|
