aboutsummaryrefslogtreecommitdiffstats
path: root/main/libarchive/CVE-2017-5601.patch
blob: 44d5e1779f2b6927a852519dd739c30f0b3ba704 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Source:
https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9

commit 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9
Author: Martin Matuska <martin@matuska.org>
Date:   Thu Jan 19 22:00:18 2017 +0100

    Fail with negative lha->compsize in lha_read_file_header_1()
    Fixes a heap buffer overflow reported in Secunia SA74169

diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index 52a5531b..d77a7c2e 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha)
 	/* Get a real compressed file size. */
 	lha->compsize -= extdsize - 2;
 
+	if (lha->compsize < 0)
+		goto invalid;	/* Invalid compressed file size */
+
 	if (sum_calculated != headersum) {
 		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
 		    "LHa header sum error");