File CVE-2015-8926.patch of Package libarchive.3431

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-8926.patch of Package libarchive.3431

commit aab73938f8914f0def6cdd5d5be3f142ae7c77f6
Author: Tim Kientzle <kientzle@acm.org>
Date:   Tue Mar 3 20:17:37 2015 -0800

Issue 410: Segfault on invalid rar archive
    
    Libarchive's API passes a void ** which is set by the format
    to the address of the entry data that was just read.
    
    In one particular case, the RAR decompression logic uses a
    non-NULL value here to indicate that the internal 128k decompression
    buffer has been filled.  But the RAR code took no steps to ensure
    that the value was set NULL on entry.  As a result, a crafted RAR
    file can trick libarchive into returning to the caller a 128k block
    of data starting at whatever value was previously in the caller's
    variable.
    
    The fix is simply to set *buff = NULL on entry to the RAR
    decompression logic.

Index: libarchive-3.1.2/libarchive/archive_read_support_format_rar.c
===================================================================
--- libarchive-3.1.2.orig/libarchive/archive_read_support_format_rar.c
+++ libarchive-3.1.2/libarchive/archive_read_support_format_rar.c
@@ -944,8 +944,8 @@ archive_read_format_rar_read_data(struct
       rar->bytes_unconsumed = 0;
   }
 
+  *buff = NULL;
   if (rar->entry_eof || rar->offset_seek >= rar->unp_size) {
-    *buff = NULL;
     *size = 0;
     *offset = rar->offset;
     if (*offset < rar->unp_size)

Places

File CVE-2015-8926.patch of Package libarchive.3431

Places