Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Apr 2022 11:32:40 GMT
From:      Martin Matuska <mm@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9c1ad063e5d1 - releng/13.1 - libarchive: merge vendor bugfixes
Message-ID:  <202204061132.236BWeJ7021924@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/13.1 has been updated by mm:

URL: https://cgit.FreeBSD.org/src/commit/?id=9c1ad063e5d14979651f7dc620cb1ea044c074f3

commit 9c1ad063e5d14979651f7dc620cb1ea044c074f3
Author:     Martin Matuska <mm@FreeBSD.org>
AuthorDate: 2022-04-03 12:21:28 +0000
Commit:     Martin Matuska <mm@FreeBSD.org>
CommitDate: 2022-04-06 11:32:07 +0000

    libarchive: merge vendor bugfixes
    
    Bugfixes:
      IS #1685 and OSS-Fuzz #38764 (security):
        (ISO reader) fix possible heap buffer overflow in read_children()
      IS #1715 and OSS-Fuzz #46279 (security):
        (RARv4 reader) fix heap-use-after-free in run_filters()
    
    Approved by:    re (gjb)
    
    (cherry picked from commit 9f690fcfdc050f566466ac10cca29ff43bf4fe92)
    (cherry picked from commit 43a449f2f1feae53a1302821db6940fd364fa171)
---
 .../libarchive/archive_read_support_format_iso9660.c    |  3 ++-
 .../libarchive/archive_read_support_format_rar.c        | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c b/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c
index 806f36cbe10b..15ded7c561e5 100644
--- a/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c
+++ b/contrib/libarchive/libarchive/archive_read_support_format_iso9660.c
@@ -1007,7 +1007,8 @@ read_children(struct archive_read *a, struct file_info *parent)
 		p = b;
 		b += iso9660->logical_block_size;
 		step -= iso9660->logical_block_size;
-		for (; *p != 0 && p < b && p + *p <= b; p += *p) {
+		for (; *p != 0 && p + DR_name_offset < b && p + *p <= b;
+			p += *p) {
 			struct file_info *child;
 
 			/* N.B.: these special directory identifiers
diff --git a/contrib/libarchive/libarchive/archive_read_support_format_rar.c b/contrib/libarchive/libarchive/archive_read_support_format_rar.c
index 7a7318522650..f9cbe2a8810d 100644
--- a/contrib/libarchive/libarchive/archive_read_support_format_rar.c
+++ b/contrib/libarchive/libarchive/archive_read_support_format_rar.c
@@ -3328,6 +3328,7 @@ run_filters(struct archive_read *a)
   struct rar *rar = (struct rar *)(a->format->data);
   struct rar_filters *filters = &rar->filters;
   struct rar_filter *filter = filters->stack;
+  struct rar_filter *f;
   size_t start, end;
   int64_t tend;
   uint32_t lastfilteraddress;
@@ -3345,6 +3346,22 @@ run_filters(struct archive_read *a)
   ret = expand(a, &tend);
   if (ret != ARCHIVE_OK)
     return 0;
+
+  /* Check if filter stack was modified in expand() */
+  ret = ARCHIVE_FATAL;
+  f = filters->stack;
+  while (f)
+  {
+    if (f == filter)
+    {
+      ret = ARCHIVE_OK;
+      break;
+    }
+    f = f->next;
+  }
+  if (ret != ARCHIVE_OK)
+    return 0;
+
   if (tend < 0)
     return 0;
   end = (size_t)tend;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202204061132.236BWeJ7021924>