Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Feb 2022 11:36:00 GMT
From:      Martin Matuska <mm@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 259a84aa0124 - stable/12 - libarchive: merge vendor bugfix
Message-ID:  <202202231136.21NBa02p092432@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by mm:

URL: https://cgit.FreeBSD.org/src/commit/?id=259a84aa012487342b2439d4c992b45d9930ec97

commit 259a84aa012487342b2439d4c992b45d9930ec97
Author:     Martin Matuska <mm@FreeBSD.org>
AuthorDate: 2022-02-21 11:06:54 +0000
Commit:     Martin Matuska <mm@FreeBSD.org>
CommitDate: 2022-02-23 10:01:42 +0000

    libarchive: merge vendor bugfix
    
    OSS-Fuzz #44843 (security):
    RAR reader: fix null-dereference in RAR (v4) filter code
    
    (cherry picked from commit 5ccf909af9c1117172ff0742515da2d2e0cef89e)
---
 .../libarchive/libarchive/archive_read_support_format_rar.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/contrib/libarchive/libarchive/archive_read_support_format_rar.c b/contrib/libarchive/libarchive/archive_read_support_format_rar.c
index 388484a76809..7a7318522650 100644
--- a/contrib/libarchive/libarchive/archive_read_support_format_rar.c
+++ b/contrib/libarchive/libarchive/archive_read_support_format_rar.c
@@ -3328,20 +3328,25 @@ run_filters(struct archive_read *a)
   struct rar *rar = (struct rar *)(a->format->data);
   struct rar_filters *filters = &rar->filters;
   struct rar_filter *filter = filters->stack;
-  size_t start = filters->filterstart;
-  size_t end = start + filter->blocklength;
+  size_t start, end;
   int64_t tend;
   uint32_t lastfilteraddress;
   uint32_t lastfilterlength;
   int ret;
 
+  if (filters == NULL || filter == NULL)
+    return (0);
+
+  start = filters->filterstart;
+  end = start + filter->blocklength;
+
   filters->filterstart = INT64_MAX;
   tend = (int64_t)end;
   ret = expand(a, &tend);
   if (ret != ARCHIVE_OK)
-    return (ret);
+    return 0;
   if (tend < 0)
-    return (ARCHIVE_FATAL);
+    return 0;
   end = (size_t)tend;
   if (end != start + filter->blocklength)
     return 0;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202202231136.21NBa02p092432>