... | ... |
@@ -669,11 +669,7 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
669 | 669 |
return FALSE; |
670 | 670 |
} |
671 | 671 |
for (i=0 ; i < (size_t) vm_codesize ; i++) { |
672 |
- if ((rarvm_input.in_addr + 2) < rarvm_input.buf_size) { |
|
673 |
- vm_code[i] = rarvm_getbits(&rarvm_input) >> 8; |
|
674 |
- } else { |
|
675 |
- vm_code[i] = 0; |
|
676 |
- } |
|
672 |
+ vm_code[i] = rarvm_getbits(&rarvm_input) >> 8; |
|
677 | 673 |
rarvm_addbits(&rarvm_input, 8); |
678 | 674 |
} |
679 | 675 |
if(!rarvm_prepare(&unpack_data->rarvm_data, &rarvm_input, &vm_code[0], (int) vm_codesize, &filter->prg)) { |
... | ... |
@@ -837,6 +833,8 @@ void rar_unpack_init_data(int solid, unpack_data_t *unpack_data) |
837 | 837 |
unpack_data->old_dist_ptr= 0; |
838 | 838 |
memset(unpack_data->unp_old_table, 0, sizeof(unpack_data->unp_old_table)); |
839 | 839 |
memset(&unpack_data->LDD, 0, sizeof(unpack_data->LDD)); |
840 |
+ memset(&unpack_data->LD, 0, sizeof(unpack_data->LD)); |
|
841 |
+ memset(&unpack_data->DD, 0, sizeof(unpack_data->DD)); |
|
840 | 842 |
memset(&unpack_data->RD, 0, sizeof(unpack_data->RD)); |
841 | 843 |
memset(&unpack_data->BD, 0, sizeof(unpack_data->BD)); |
842 | 844 |
unpack_data->last_dist= 0; |
... | ... |
@@ -847,8 +845,6 @@ void rar_unpack_init_data(int solid, unpack_data_t *unpack_data) |
847 | 847 |
unpack_data->unp_block_type = BLOCK_LZ; |
848 | 848 |
rar_init_filters(unpack_data); |
849 | 849 |
} |
850 |
- memset(&unpack_data->LD, 0, sizeof(unpack_data->LD)); |
|
851 |
- memset(&unpack_data->DD, 0, sizeof(unpack_data->DD)); |
|
852 | 850 |
unpack_data->in_bit = 0; |
853 | 851 |
unpack_data->in_addr = 0; |
854 | 852 |
unpack_data->read_top = 0; |
... | ... |
@@ -341,13 +341,26 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data) |
341 | 341 |
continue; |
342 | 342 |
} |
343 | 343 |
if (number > 269) { |
344 |
- length = ldecode[number-=270]+3; |
|
344 |
+ /* If number is higher or equal to 298 in this instance something has likely |
|
345 |
+ * gone horribly wrong and/or this is a RAR 5 file that Clam does not yet |
|
346 |
+ * support parsing. Either way, this is a total failure case. */ |
|
347 |
+ if (number < 298) { |
|
348 |
+ length = ldecode[number-=270]+3; |
|
349 |
+ } else { |
|
350 |
+ retval = FALSE; |
|
351 |
+ break; |
|
352 |
+ } |
|
353 |
+ |
|
345 | 354 |
if ((bits = lbits[number]) > 0) { |
346 | 355 |
length += rar_getbits(unpack_data) >> (16-bits); |
347 | 356 |
rar_addbits(unpack_data, bits); |
348 | 357 |
} |
349 | 358 |
|
350 | 359 |
dist_number = rar_decode_number(unpack_data, (struct Decode *)&unpack_data->DD); |
360 |
+ if (dist_number > 47 || dist_number < 0) { |
|
361 |
+ retval = FALSE; |
|
362 |
+ break; |
|
363 |
+ } |
|
351 | 364 |
distance = ddecode[dist_number] + 1; |
352 | 365 |
if ((bits = dbits[dist_number]) > 0) { |
353 | 366 |
distance += rar_getbits(unpack_data)>>(16-bits); |