c118cad477
- Added patches: * CVE-2018-1000877.patch, which fixes a double free vulnerability in RAR decoder (CVE-2018-1000877 bsc#1120653) * CVE-2018-1000878.patch, which fixes a Use-After-Free vulnerability in RAR decoder (CVE-2018-1000878 bsc#1120654) * CVE-2018-1000879.patch, which fixes a NULL Pointer Dereference vulnerability in ACL parser (CVE-2018-1000879 bsc#1120656) * CVE-2018-1000880.patch, which fixes an improper input validation vulnerability in WARC parser (CVE-2018-1000880 bsc#1120659) - Make use of %license macro - Applied spec-cleaner OBS-URL: https://build.opensuse.org/request/show/662692 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=80
38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Tue, 4 Dec 2018 16:33:42 +1100
|
|
Subject: [PATCH] warc: consume data once read
|
|
|
|
The warc decoder only used read ahead, it wouldn't actually consume
|
|
data that had previously been printed. This means that if you specify
|
|
an invalid content length, it will just reprint the same data over
|
|
and over and over again until it hits the desired length.
|
|
|
|
This means that a WARC resource with e.g.
|
|
Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665
|
|
but only a few hundred bytes of data, causes a quasi-infinite loop.
|
|
|
|
Consume data in subsequent calls to _warc_read.
|
|
|
|
Found with an AFL + afl-rb + qsym setup.
|
|
---
|
|
libarchive/archive_read_support_format_warc.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
|
|
index e8753853f..e8fc8428b 100644
|
|
--- a/libarchive/archive_read_support_format_warc.c
|
|
+++ b/libarchive/archive_read_support_format_warc.c
|
|
@@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off)
|
|
return (ARCHIVE_EOF);
|
|
}
|
|
|
|
+ if (w->unconsumed) {
|
|
+ __archive_read_consume(a, w->unconsumed);
|
|
+ w->unconsumed = 0U;
|
|
+ }
|
|
+
|
|
rab = __archive_read_ahead(a, 1U, &nrd);
|
|
if (nrd < 0) {
|
|
*bsz = 0U;
|