forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2026-4424.patch
More file actions
85 lines (72 loc) · 3.39 KB
/
CVE-2026-4424.patch
File metadata and controls
85 lines (72 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
From ec6707deeda82a585bac6ec2b8d64a8a5924c985 Mon Sep 17 00:00:00 2001
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
Date: Sat, 7 Mar 2026 22:32:09 +0200
Subject: [PATCH 1/2] rar: fix LZSS window size mismatch after PPMd block
When a PPMd-compressed block updates dictionary_size, the LZSS window
from a prior block is not reallocated. The allocation guard only checks
if dictionary_size is zero or the window pointer is NULL, not whether
the existing window is large enough. This allows copy_from_lzss_window()
to read past the allocated buffer.
Fix the guard to also check whether the current window is undersized.
Add bounds checks in copy_from_lzss_window() and parse_filter() as
defense in depth.
---
libarchive/archive_read_support_format_rar.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index bb06f76..bc3f7d7 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -2503,7 +2503,8 @@ parse_codes(struct archive_read *a)
return (r);
}
- if (!rar->dictionary_size || !rar->lzss.window)
+ if (!rar->dictionary_size || !rar->lzss.window ||
+ (rar->lzss.mask + 1) < rar->dictionary_size)
{
/* Seems as though dictionary sizes are not used. Even so, minimize
* memory usage as much as possible.
@@ -3104,6 +3105,11 @@ copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
firstpart = lzss_size(&rar->lzss) - windowoffs;
+ if (length > lzss_size(&rar->lzss)) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Bad RAR file data");
+ return (ARCHIVE_FATAL);
+ }
if (firstpart < 0) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
"Bad RAR file data");
@@ -3266,7 +3272,8 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
else
blocklength = prog ? prog->oldfilterlength : 0;
- if (blocklength > rar->dictionary_size)
+ if (blocklength > rar->dictionary_size ||
+ blocklength > (uint32_t)(rar->lzss.mask + 1))
return 0;
registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
--
2.45.4
From 5fc14fd997dea3838ed49005b6e03241cb82f390 Mon Sep 17 00:00:00 2001
From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
Date: Sun, 8 Mar 2026 15:29:46 +0200
Subject: [PATCH 2/2] Fix -Wsign-compare: cast mask+1 to unsigned int
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/libarchive/libarchive/commit/762b30011a932c6ab988fd8664899a07eb6b7657.patch
---
libarchive/archive_read_support_format_rar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
index bc3f7d7..ee02cf9 100644
--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
@@ -2504,7 +2504,7 @@ parse_codes(struct archive_read *a)
}
if (!rar->dictionary_size || !rar->lzss.window ||
- (rar->lzss.mask + 1) < rar->dictionary_size)
+ (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size)
{
/* Seems as though dictionary sizes are not used. Even so, minimize
* memory usage as much as possible.
--
2.45.4