Fix CVE-2023-40477

debian/patches/CVE-2023-40477.patch

@@ -0,0 +1,99 @@
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Fri, 21 Jul 2023 00:33:42 +0900
+Subject: CVE-2023-40477
+
+aka. ZDI-23-1152
+https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
+---
+ getbits.cpp     |  8 ++++----
+ pathfn.cpp      |  2 +-
+ recvol3.cpp     | 11 +++++++++--
+ secpassword.cpp |  6 +++---
+ 4 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/getbits.cpp b/getbits.cpp
+index e4db269..5d5ad2b 100644
+--- a/getbits.cpp
++++ b/getbits.cpp
+@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer)
+   ExternalBuffer=false;
+   if (AllocBuffer)
+   {
+-    // getbits32 attempts to read data from InAddr, ... InAddr+3 positions.
+-    // So let's allocate 3 additional bytes for situation, when we need to
++    // getbits*() attempt to read data from InAddr, ... InAddr+4 positions.
++    // So let's allocate 4 additional bytes for situation, when we need to
+     // read only 1 byte from the last position of buffer and avoid a crash
+-    // from access to next 3 bytes, which contents we do not need.
+-    size_t BufSize=MAX_SIZE+3;
++    // from access to next 4 bytes, which contents we do not need.
++    size_t BufSize=MAX_SIZE+4;
+     InBuf=new byte[BufSize];
+
+     // Ensure that we get predictable results when accessing bytes in area
+diff --git a/pathfn.cpp b/pathfn.cpp
+index 32d2408..cce8f92 100644
+--- a/pathfn.cpp
++++ b/pathfn.cpp
+@@ -700,7 +700,7 @@ static void GenArcName(wchar *ArcName,const wchar *GenerateMask,uint ArcNumber,b
+       // Here we ensure that we have enough 'N' characters to fit all digits
+       // of archive number. We'll replace them by actual number later
+       // in this function.
+-      if (NCount<Digits)
++      if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask))
+       {
+         wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1);
+         wmemset(Mask+I,'N',Digits);
+diff --git a/recvol3.cpp b/recvol3.cpp
+index 0d18f07..d6e2f79 100644
+--- a/recvol3.cpp
++++ b/recvol3.cpp
+@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(RAROptions *Cmd,const wchar *Name,bool Silent)
+       if (WrongParam)
+         continue;
+     }
+-    if (P[1]+P[2]>255)
++    if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255)
+       continue;
+     if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2])
+     {
+@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(RAROptions *Cmd,const wchar *Name,bool Silent)
+     wcscpy(PrevName,CurName);
+     File *NewFile=new File;
+     NewFile->TOpen(CurName);
+-    SrcFile[FileNumber+P[0]-1]=NewFile;
++
++    // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255
++    // checks above. Still we keep it here for better clarity and security.
++    int SrcPos=FileNumber+P[0]-1;
++    if (SrcPos<0 || SrcPos>=ASIZE(SrcFile))
++      continue;
++    SrcFile[SrcPos]=NewFile;
++
+     FoundRecVolumes++;
+
+     if (RecFileSize==0)
+diff --git a/secpassword.cpp b/secpassword.cpp
+index 4865b3f..04296a6 100644
+--- a/secpassword.cpp
++++ b/secpassword.cpp
+@@ -142,7 +142,7 @@ size_t SecPassword::Length()
+   wchar Plain[MAXPASSWORD];
+   Get(Plain,ASIZE(Plain));
+   size_t Length=wcslen(Plain);
+-  cleandata(Plain,ASIZE(Plain));
++  cleandata(Plain,sizeof(Plain));
+   return Length;
+ }
+
+@@ -157,8 +157,8 @@ bool SecPassword::operator == (SecPassword &psw)
+   Get(Plain1,ASIZE(Plain1));
+   psw.Get(Plain2,ASIZE(Plain2));
+   bool Result=wcscmp(Plain1,Plain2)==0;
+-  cleandata(Plain1,ASIZE(Plain1));
+-  cleandata(Plain2,ASIZE(Plain2));
++  cleandata(Plain1,sizeof(Plain1));
++  cleandata(Plain2,sizeof(Plain2));
+   return Result;
+ }
+

debian/patches/series

@@ -1,3 +1,4 @@
 fix-buildflags
 CVE-2022-30333.diff
 CVE-2022-48579.patch
+CVE-2023-40477.patch