Skip to content
Permalink
Browse files Browse the repository at this point in the history
Issue #718: Fix TALOS-CAN-152
If a 7-Zip archive declares a rediculously large number of substreams,
it can overflow an internal counter, leading a subsequent memory
allocation to be too small for the substream data.

Thanks to the Open Source and Threat Intelligence project at Cisco
for reporting this issue.
  • Loading branch information
kientzle committed Jun 19, 2016
1 parent d85976e commit e79ef30
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions libarchive/archive_read_support_format_7zip.c
Expand Up @@ -2153,6 +2153,9 @@ read_SubStreamsInfo(struct archive_read *a, struct _7z_substream_info *ss,
return (-1);
if (UMAX_ENTRY < f[i].numUnpackStreams)
return (-1);
if (unpack_streams > SIZE_MAX - UMAX_ENTRY) {
return (-1);
}
unpack_streams += (size_t)f[i].numUnpackStreams;
}
if ((p = header_bytes(a, 1)) == NULL)
Expand Down

1 comment on commit e79ef30

@mmatuska
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.