Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix various crash, memory corruption and infinite loop conditions #1105
I have found some hangs, crashes and memory corruption issues in libarchive.
Two are in the RAR decoder. The first (patch 1) is a double-free via a
The second (patch 2) is memory corruption which seems to arise in ppmd7 decoding. The code can be made to read and write to a previously freed ppmd buffer by tricking the read-ahead code around multi-part archives. (This can be done even with a single archive file.) My gut feeling is that someone more skilled than I could cause arbitrary code execution with this, but I cannot say for certain.
There is a crash in ACL parsing for tar archives (patch 3). This is a simple NULL dereference leading to a crash.
The last of this batch is a quasi-infinite loop in the warc code (patch 4), where data isn't consumed after being written out, so a large Content-Length can be used to consume almost limitless time and space, leading to a DoS condition.
These were found with a combination of AFL, afl-rb and qsym.
There are some test cases at https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909