File CVE-2019-18408.patch of Package libarchive

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-18408.patch of Package libarchive

From b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60 Mon Sep 17 00:00:00 2001
From: Martin Matuska <martin@matuska.org>
Date: Sat, 11 May 2019 02:36:53 +0200
Subject: [PATCH] RAR reader: fix use after free

If read_data_compressed() returns ARCHIVE_FAILED, the caller is allowed
to continue with next archive headers. We need to set rar->start_new_table
after the ppmd7_context got freed, otherwise it won't be allocated again.

Reported by: OSS-Fuzz issue 2582
---
 libarchive/archive_read_support_format_rar.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Index: libarchive-3.3.2/libarchive/archive_read_support_format_rar.c
===================================================================
--- libarchive-3.3.2.orig/libarchive/archive_read_support_format_rar.c
+++ libarchive-3.3.2/libarchive/archive_read_support_format_rar.c
@@ -1038,8 +1038,10 @@ archive_read_format_rar_read_data(struct
   case COMPRESS_METHOD_GOOD:
   case COMPRESS_METHOD_BEST:
     ret = read_data_compressed(a, buff, size, offset);
-    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
+    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
       __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context);
+      rar->start_new_table = 1;
+    }
     break;
 
   default:

Places

File CVE-2019-18408.patch of Package libarchive

Places