diff options
Diffstat (limited to 'main/libarchive/CVE-2016-4302.patch')
-rw-r--r-- | main/libarchive/CVE-2016-4302.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/main/libarchive/CVE-2016-4302.patch b/main/libarchive/CVE-2016-4302.patch new file mode 100644 index 0000000000..4506afb0be --- /dev/null +++ b/main/libarchive/CVE-2016-4302.patch @@ -0,0 +1,32 @@ +From 05caadc7eedbef471ac9610809ba683f0c698700 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Sun, 19 Jun 2016 14:21:42 -0700 +Subject: [PATCH] Issue 719: Fix for TALOS-CAN-154 + +A RAR file with an invalid zero dictionary size was not being +rejected, leading to a zero-sized allocation for the dictionary +storage which was then overwritten during the dictionary initialization. + +Thanks to the Open Source and Threat Intelligence project at Cisco for +reporting this. +--- + libarchive/archive_read_support_format_rar.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 6450aac..6c49f1a 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2127,6 +2127,12 @@ parse_codes(struct archive_read *a) + rar->range_dec.Stream = &rar->bytein; + __archive_ppmd7_functions.Ppmd7_Construct(&rar->ppmd7_context); + ++ if (rar->dictionary_size == 0) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Invalid zero dictionary size"); ++ return (ARCHIVE_FATAL); ++ } ++ + if (!__archive_ppmd7_functions.Ppmd7_Alloc(&rar->ppmd7_context, + rar->dictionary_size, &g_szalloc)) + { |