Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RAR5 reader: reject files that declare invalid header flags #1326

Merged
merged 1 commit into from Feb 2, 2020

Conversation

antekone
Copy link
Contributor

@antekone antekone commented Feb 2, 2020

One of the fields in RAR5's base block structure is the size of the header. Some invalid files declare a 0 header size setting, which can confuse the unpacker. Minimum header size for RAR5 base blocks is 7 bytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0 bytes should be rejected at header parsing stage.

The fix adds an error condition if header size of 0 bytes is detected. In this case, the unpacker will not attempt to unpack the file, as the header is corrupted.

The commit also adds OSSFuzz #20459 sample to test further regressions in this area.

One of the fields in RAR5's base block structure is the size of the
header. Some invalid files declare a 0 header size setting, which can
confuse the unpacker. Minimum header size for RAR5 base blocks is 7
bytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0
bytes should be rejected at header parsing stage.

The fix adds an error condition if header size of 0 bytes is detected.
In this case, the unpacker will not attempt to unpack the file, as the
header is corrupted.

The commit also adds OSSFuzz #20459 sample to test further regressions
in this area.
@mmatuska mmatuska merged commit 3c780fa into libarchive:master Feb 2, 2020
@travispaul
Copy link

The assigned CVE is CVE-2020-9308

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants