Cherry-pick commits from libarchive to vendor/libarchive

CTSRD-CHERI#2148 fix: OOB in rar delta filter (a1cb648d5) CTSRD-CHERI#2149 fix: OOB in rar audio filter (3006bc5d0) CTSRD-CHERI#2150 xar: Fix another infinite loop and expat error handling (b910cb70d) Obtained from: libarchive Libarchive commits: b910cb70d4c1b311c9d85cd536a6c91647c43df7 a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b
bsdjhb · Apr 29, 2024 · 51c823a · 51c823a
1 parent d6f77d3
commit 51c823a
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
   {
     uint8_t lastbyte = 0;
     for (idx = i; idx < length; idx += numchannels)
+    {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
       lastbyte = dst[idx] = lastbyte - *src++;
+    }
   }
 
   filter->filteredblockaddress = length;
@@ -3714,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
     memset(&state, 0, sizeof(state));
     for (j = i; j < length; j += numchannels)
     {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
+
       int8_t delta = (int8_t)*src++;
       uint8_t predbyte, byte;
       int prederror;

diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
@@ -2055,9 +2055,10 @@ xml_start(struct archive_read *a, const char *name, struct xmlattr_list *list)
 			    attr = attr->next) {
 				if (strcmp(attr->name, "link") != 0)
 					continue;
-				if (xar->file->hdnext != NULL || xar->file->link != 0) {
+				if (xar->file->hdnext != NULL || xar->file->link != 0 ||
+				    xar->file == xar->hdlink_orgs) {
 					archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
-					    "File with multiple link targets");
+					    "File with multiple link attributes");
 					return (ARCHIVE_FATAL);
 				}
 				if (strcmp(attr->value, "original") == 0) {
@@ -3256,6 +3257,9 @@ expat_start_cb(void *userData, const XML_Char *name, const XML_Char **atts)
 	struct xmlattr_list list;
 	int r;
 
+	if (ud->state != ARCHIVE_OK)
+		return;
+
 	r = expat_xmlattr_setup(a, &list, atts);
 	if (r == ARCHIVE_OK)
 		r = xml_start(a, (const char *)name, &list);

diff --git a/libarchive/test/test_read_format_xar_doublelink.c b/libarchive/test/test_read_format_xar_doublelink.c
@@ -47,7 +47,7 @@ DEFINE_TEST(test_read_format_xar_doublelink)
 
 	assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae));
 	assertEqualString(archive_error_string(a),
-		"File with multiple link targets");
+		"File with multiple link attributes");
 	assert(archive_errno(a) != 0);
 
 	assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));