| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCC8 tries to diagnose `snprintf()` overflows but isn't quite
smart enough for this case, so emits a false-positive warning.
Remember that `%12s` only specifies the minimum number of bytes. GCC8
conservatively assumes this might result in writing the full length of
`date2`. (Which will never be longer than 12 bytes, but GCC8
apparently can't reason about `strftime` format specifiers yet.)
Changing the specifier here to `%12.12s` explicitly truncates to 12
bytes and should help the compiler understand that this will never
overflow.
While I'm here, correct a minor typo in the previous line; it used
`sizeof(date)` instead of `sizeof(date2)`. (Both are the same
size, so this had no functional impact.)
|
|\
| |
| | |
Fix various crash, memory corruption and infinite loop conditions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The warc decoder only used read ahead, it wouldn't actually consume
data that had previously been printed. This means that if you specify
an invalid content length, it will just reprint the same data over
and over and over again until it hits the desired length.
This means that a WARC resource with e.g.
Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665
but only a few hundred bytes of data, causes a quasi-infinite loop.
Consume data in subsequent calls to _warc_read.
Found with an AFL + afl-rb + qsym setup.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently, it is possible to create an archive that crashes bsdtar
with a malformed ACL:
Program received signal SIGSEGV, Segmentation fault.
archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726
1726 switch (*s) {
(gdb) p n
$1 = 1
(gdb) p field[n]
$2 = {start = 0x0, end = 0x0}
Stop this by checking that the length is not zero before beginning
the switch statement.
I am pretty sure this is the bug mentioned in the qsym paper [1],
and I was able to replicate it with a qsym + AFL + afl-rb setup.
[1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fuzzing uncovered some UAF and memory overrun bugs where a file in a
single file archive reported that it was split across multiple
volumes. This was caused by ppmd7 operations calling
rar_br_fillup. This would invoke rar_read_ahead, which would in some
situations invoke archive_read_format_rar_read_header. That would
check the new file name against the old file name, and if they didn't
match up it would free the ppmd7 buffer and allocate a new
one. However, because the ppmd7 decoder wasn't actually done with the
buffer, it would continue to used the freed buffer. Both reads and
writes to the freed region can be observed.
This is quite tricky to solve: once the buffer has been freed it is
too late, as the ppmd7 decoder functions almost universally assume
success - there's no way for ppmd_read to signal error, nor are there
good ways for functions like Range_Normalise to propagate them. So we
can't detect after the fact that we're in an invalid state - e.g. by
checking rar->cursor, we have to prevent ourselves from ever ending up
there. So, when we are in the dangerous part or rar_read_ahead that
assumes a valid split, we set a flag force read_header to either go
down the path for split files or bail. This means that the ppmd7
decoder keeps a valid buffer and just runs out of data.
Found with a combination of AFL, afl-rb and qsym.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
new_size can be 0 with a malicious or corrupted RAR archive.
realloc(area, 0) is equivalent to free(area), so the region would
be free()d here and the free()d again in the cleanup function.
Found with a setup running AFL, afl-rb, and qsym.
|
|\ \
| |/
|/| |
RAR5 reader: removed an unused function: bf_is_last_block
|
|/
|
|
|
| |
Also added a comment that will allow to easily readd this function in
case it'll be needed.
|
|\
| |
| | |
RAR5 reader: fixed big-endian problems
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reader has assumed it's running on little-endian. The commit changes
direct memory reads to archive_le* function calls, which should allow
the reader to run on big-endian machines as well.
Changes were needed in the reader itself and in the file holding
reader's test cases.
The commit also removes 1 warning encountered when compiling under GCC
8 on PowerPC architecture.
Fixes #1097
|
| |
|
|\
| |
| | |
CMake: check libgnu for xattr functions on Haiku
|
| | |
|
| | |
|
|\ \
| | |
| | | |
If extended attributes or HFS compression are to be extracted as non root, create files owner-writable first.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
No overall change to the code path when root; when not root, ensure
created files are initially user writable if we need to do XATTRs or HFS
compression. Mode is fixed later to the desired final mode in this case.
Net of one extra syscall per file to fix the mode at the end only when
all of these are true:
* Not root
* Final mode is not owner-writable
* XATTRs or HFS compression are needed.
These changes make it unexpectedly pass the xattr test on freebsd.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
For non-root users, set xattr first. For root users (who might be
setting security xattrs liable to clear with mode) set mode first.
Certainly needs testing on other platforms, but hits the cases I've
identified so far on Darwin.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Setting the mode on Darwin does not clear xattrs, but xattrs cannot be
set by a non-root user if the mode is not writable. Perform xattrs first
and then mode in _archive_write_disk_finish_entry() on Datwin. Darwin
ACLs are handled later.
Prior change handled --hfsCompression - specific xattrs, this catches
any other (encoded in the archive) attributes.
|
| | |
| | |
| | |
| | |
| | | |
Keeps TODO_MODE around if final_mode isn't owner writable, but lets
fsetxattr() succeed for non-root users. (Required for HFS+ compression.)
|
|\ \ \
| | | |
| | | | |
reset CMAKE_REQUIRED_LIBRARIES before checking system headers
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes this CMake warning with CMake 3.12 and newer:
CMake Warning (dev) at /usr/share/cmake/Modules/CheckIncludeFiles.cmake:110 (message):
Policy CMP0075 is not set: Include file check macros honor
CMAKE_REQUIRED_LIBRARIES. Run "cmake --help-policy CMP0075" for policy
details. Use the cmake_policy command to set the policy and suppress this
warning.
CMAKE_REQUIRED_LIBRARIES is set to:
/usr/lib/liblzma.so
For compatibility with CMake 3.11 and below this check is ignoring it.
Call Stack (most recent call first):
CMakeLists.txt:602 (CHECK_INCLUDE_FILES)
CMakeLists.txt:609 (LA_CHECK_INCLUDE_FILE)
|
|\ \ \ \
| | | | |
| | | | | |
tests: fix compile error with -Wshadow on older gcc releases
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Older gcc releases also warn when a local variable has the name of a global
function, like this output from gcc 4.6:
test_read_format_rar5.c:93:23: error: declaration of 'read' shadows a global declaration [-Werror=shadow]
|
| | | |
| | | |
| | | |
| | | | |
Fixes #1096
|
|\ \ \ \ |
|
| |/ / /
| | | |
| | | |
| | | | |
Per Coverity report.
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
During archiving, if some of the "delayed" hard link entries
happened to disappear on filesystem (or become unreadable) for
some reason (most probably race), the old code free()d the 'entry'
and continued with the loop; the next loop though dereferenced
'entry' and crashed the archiver.
Per report from Coverity.
|
|\ \ \
| | | |
| | | | |
RAR5 reader bugfixes
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixed a bug during a block-by-block reading loop. Added a test that
checks for the existence of this bug.
- Fixed 2 unlimited loops encountered when unpacking corrupted data.
- Removed some 'maybe uninitialized' warnings.
|
|\ \ \
| | | |
| | | | |
Spelling fixes
|
| | | |
| | | |
| | | |
| | | | |
Sponsored by: Tarsnap Backup Inc.
|
|/ / /
| | |
| | |
| | | |
Sponsored by: Tarsnap Backup Inc.
|
|\ \ \
| | | |
| | | | |
RAR5 reader: Added missing config.h entries for libb2
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Symbols added: HAVE_LIBB2, HAVE_BLAKE2_H
RAR5 reader sources expect those symbols to be defined when using system
libb2, but the symbols were missing. This commit fixes that.
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
- "index" shadows a global declaration on powerpc(64), mips(64) and sparc64
- avoid unitialized size_t on riscv64
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Fixes #1013
Fixes #998
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | | |
Don't default XAR entry atime/mtime to the current time
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The BLAKE2 source files are multi-licensed with the ability to choose
between CC0 1.0 Universal, OpenSSL or Apache 2.0 licenses. For libarchive
the CC0 1.0 Universal Public Domain Dedication should be acceptable.
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | |
| | | | |
Support for extraction of RAR v5 archives
|
| | | | |
|
| | | | |
|