Skip to content
Permalink
Browse files Browse the repository at this point in the history
Issue 719: Fix for TALOS-CAN-154
A RAR file with an invalid zero dictionary size was not being
rejected, leading to a zero-sized allocation for the dictionary
storage which was then overwritten during the dictionary initialization.

Thanks to the Open Source and Threat Intelligence project at Cisco for
reporting this.
  • Loading branch information
kientzle committed Jun 19, 2016
1 parent e79ef30 commit 05caadc
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions libarchive/archive_read_support_format_rar.c
Expand Up @@ -2127,6 +2127,12 @@ parse_codes(struct archive_read *a)
rar->range_dec.Stream = &rar->bytein;
__archive_ppmd7_functions.Ppmd7_Construct(&rar->ppmd7_context);

if (rar->dictionary_size == 0) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
"Invalid zero dictionary size");
return (ARCHIVE_FATAL);
}

if (!__archive_ppmd7_functions.Ppmd7_Alloc(&rar->ppmd7_context,
rar->dictionary_size, &g_szalloc))
{
Expand Down

1 comment on commit 05caadc

@mmatuska
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.