30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
|
|
From: Wei-Cheng Pan <legnaleurc@gmail.com>
|
|
Date: Mon, 29 Apr 2024 06:53:19 +0900
|
|
Subject: [PATCH] fix: OOB in rar audio filter (#2149)
|
|
|
|
This patch ensures that `src` won't move ahead of `dst`, so `src` will
|
|
not OOB. Similar situation like in a1cb648.
|
|
---
|
|
libarchive/archive_read_support_format_rar.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
|
|
index 619ee81e2..4fc6626ca 100644
|
|
--- a/libarchive/archive_read_support_format_rar.c
|
|
+++ b/libarchive/archive_read_support_format_rar.c
|
|
@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
|
|
memset(&state, 0, sizeof(state));
|
|
for (j = i; j < length; j += numchannels)
|
|
{
|
|
+ /*
|
|
+ * The src block should not overlap with the dst block.
|
|
+ * If so it would be better to consider this archive is broken.
|
|
+ */
|
|
+ if (src >= dst)
|
|
+ return 0;
|
|
+
|
|
int8_t delta = (int8_t)*src++;
|
|
uint8_t predbyte, byte;
|
|
int prederror;
|