Invalid read in function copy_from_lzss_window() when unpacking malformed rar

[kwrobot]

Original issue 413 created by Google Code user hanno@hboeck.de on 2015-03-05T09:37:02.000Z:

Attached file will cause an invalid read access in the function copy_from_lzss_window(). This can be seen with address sanitizer or valgrind.

Found with american fuzzy lop.

Address Sanitizer crash dump:
==30812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed74 at pc 0x00000048f530 bp 0x7fffaf958c70 sp 0x7fffaf958430
READ of size 48 at 0x60200000ed74 thread T0
    #0 0x48f52f in __asan_memcpy (/mnt/ram/libarchive-master/bsdtar+0x48f52f)
    #1 0x624619 in copy_from_lzss_window /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2888:7
    #2 0x61ddfd in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2029:11
    #3 0x61ddfd in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x6c7d03 in archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_virtual.c:161:10
    #6 0x54a542 in copy_data /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:139:7
    #7 0x54a542 in archive_read_extract2 /mnt/ram/libarchive-master/libarchive/archive_read_extract2.c:101
    #8 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #9 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #10 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #11 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #12 0x4c412c in _start (/mnt/ram/libarchive-master/bsdtar+0x4c412c)

0x60200000ed74 is located 0 bytes to the right of 4-byte region [0x60200000ed70,0x60200000ed74)
allocated by thread T0 here:
    #0 0x4a6d8e in realloc (/mnt/ram/libarchive-master/bsdtar+0x4a6d8e)
    #1 0x62726f in parse_codes /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:2295:18
    #2 0x617ea1 in read_data_compressed /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1921:41
    #3 0x617ea1 in archive_read_format_rar_read_data /mnt/ram/libarchive-master/libarchive/archive_read_support_format_rar.c:1025
    #4 0x5223cd in _archive_read_data_block /mnt/ram/libarchive-master/libarchive/archive_read.c:969:9
    #5 0x4d2931 in read_archive /mnt/ram/libarchive-master/tar/read.c:361:9
    #6 0x4d3a83 in tar_mode_x /mnt/ram/libarchive-master/tar/read.c:104:2
    #7 0x4c8d94 in main /mnt/ram/libarchive-master/tar/bsdtar.c:805:3
    #8 0x7fd53b4abf9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289

See attachment: bsdtar-invalid-read.rar
See attachment: bsdtar-invalid-read.rar.asan.txt

[kientzle]

Commit 603454e adds checks here to reject requests to copy more data than is available in the decompression buffer.