Browse code
100.1 - rar - reverting and fixing issues found with changes found to rar extraction during regression.
Mickey Sola authored on 2018/06/07 22:58:04Showing 2 changed files
| ... | ... |
@@ -669,11 +669,7 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
| 669 | 669 |
return FALSE; |
| 670 | 670 |
} |
| 671 | 671 |
for (i=0 ; i < (size_t) vm_codesize ; i++) {
|
| 672 |
- if ((rarvm_input.in_addr + 2) < rarvm_input.buf_size) {
|
|
| 673 |
- vm_code[i] = rarvm_getbits(&rarvm_input) >> 8; |
|
| 674 |
- } else {
|
|
| 675 |
- vm_code[i] = 0; |
|
| 676 |
- } |
|
| 672 |
+ vm_code[i] = rarvm_getbits(&rarvm_input) >> 8; |
|
| 677 | 673 |
rarvm_addbits(&rarvm_input, 8); |
| 678 | 674 |
} |
| 679 | 675 |
if(!rarvm_prepare(&unpack_data->rarvm_data, &rarvm_input, &vm_code[0], (int) vm_codesize, &filter->prg)) {
|
| ... | ... |
@@ -837,6 +833,8 @@ void rar_unpack_init_data(int solid, unpack_data_t *unpack_data) |
| 837 | 837 |
unpack_data->old_dist_ptr= 0; |
| 838 | 838 |
memset(unpack_data->unp_old_table, 0, sizeof(unpack_data->unp_old_table)); |
| 839 | 839 |
memset(&unpack_data->LDD, 0, sizeof(unpack_data->LDD)); |
| 840 |
+ memset(&unpack_data->LD, 0, sizeof(unpack_data->LD)); |
|
| 841 |
+ memset(&unpack_data->DD, 0, sizeof(unpack_data->DD)); |
|
| 840 | 842 |
memset(&unpack_data->RD, 0, sizeof(unpack_data->RD)); |
| 841 | 843 |
memset(&unpack_data->BD, 0, sizeof(unpack_data->BD)); |
| 842 | 844 |
unpack_data->last_dist= 0; |
| ... | ... |
@@ -847,8 +845,6 @@ void rar_unpack_init_data(int solid, unpack_data_t *unpack_data) |
| 847 | 847 |
unpack_data->unp_block_type = BLOCK_LZ; |
| 848 | 848 |
rar_init_filters(unpack_data); |
| 849 | 849 |
} |
| 850 |
- memset(&unpack_data->LD, 0, sizeof(unpack_data->LD)); |
|
| 851 |
- memset(&unpack_data->DD, 0, sizeof(unpack_data->DD)); |
|
| 852 | 850 |
unpack_data->in_bit = 0; |
| 853 | 851 |
unpack_data->in_addr = 0; |
| 854 | 852 |
unpack_data->read_top = 0; |
| ... | ... |
@@ -341,13 +341,26 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data) |
| 341 | 341 |
continue; |
| 342 | 342 |
} |
| 343 | 343 |
if (number > 269) {
|
| 344 |
- length = ldecode[number-=270]+3; |
|
| 344 |
+ /* If number is higher or equal to 298 in this instance something has likely |
|
| 345 |
+ * gone horribly wrong and/or this is a RAR 5 file that Clam does not yet |
|
| 346 |
+ * support parsing. Either way, this is a total failure case. */ |
|
| 347 |
+ if (number < 298) {
|
|
| 348 |
+ length = ldecode[number-=270]+3; |
|
| 349 |
+ } else {
|
|
| 350 |
+ retval = FALSE; |
|
| 351 |
+ break; |
|
| 352 |
+ } |
|
| 353 |
+ |
|
| 345 | 354 |
if ((bits = lbits[number]) > 0) {
|
| 346 | 355 |
length += rar_getbits(unpack_data) >> (16-bits); |
| 347 | 356 |
rar_addbits(unpack_data, bits); |
| 348 | 357 |
} |
| 349 | 358 |
|
| 350 | 359 |
dist_number = rar_decode_number(unpack_data, (struct Decode *)&unpack_data->DD); |
| 360 |
+ if (dist_number > 47 || dist_number < 0) {
|
|
| 361 |
+ retval = FALSE; |
|
| 362 |
+ break; |
|
| 363 |
+ } |
|
| 351 | 364 |
distance = ddecode[dist_number] + 1; |
| 352 | 365 |
if ((bits = dbits[dist_number]) > 0) {
|
| 353 | 366 |
distance += rar_getbits(unpack_data)>>(16-bits); |