View | Details | Raw Unified | Return to bug 252810
Collapse All | Expand All

(-)p7zip/files/patch-CVE-2018-10115 (+311 lines)
Line 0 Link Here
1
From: Robert Luberda <robert@debian.org>
2
Date: Tue, 29 May 2018 23:59:09 +0200
3
Subject: Fix CVE-2018-10115
4
5
Apply "patch" taken from https://landave.io/files/patch_7zip_CVE-2018-10115.txt
6
7
8
Bugs-Debian: https://bugs.debian.org/897674
9
---
10
 CPP/7zip/Compress/Rar1Decoder.cpp | 16 +++++++++++-----
11
 CPP/7zip/Compress/Rar1Decoder.h   |  3 ++-
12
 CPP/7zip/Compress/Rar2Decoder.cpp | 17 +++++++++++++----
13
 CPP/7zip/Compress/Rar2Decoder.h   |  3 ++-
14
 CPP/7zip/Compress/Rar3Decoder.cpp | 19 +++++++++++++++----
15
 CPP/7zip/Compress/Rar3Decoder.h   |  3 ++-
16
 CPP/7zip/Compress/Rar5Decoder.cpp |  8 ++++++++
17
 CPP/7zip/Compress/Rar5Decoder.h   |  1 +
18
 8 files changed, 54 insertions(+), 16 deletions(-)
19
20
diff --git CPP/7zip/Compress/Rar1Decoder.cpp CPP/7zip/Compress/Rar1Decoder.cpp
21
index 68030c7..8c890c8 100644
22
--- CPP/7zip/Compress/Rar1Decoder.cpp
23
+++ CPP/7zip/Compress/Rar1Decoder.cpp
24
@@ -29,7 +29,7 @@ public:
25
 };
26
 */
27
 
28
-CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { }
29
+CDecoder::CDecoder(): _isSolid(false), _solidAllowed(false), _errorMode(false) { }
30
 
31
 void CDecoder::InitStructures()
32
 {
33
@@ -345,7 +345,7 @@ void CDecoder::GetFlagsBuf()
34
 
35
 void CDecoder::InitData()
36
 {
37
-  if (!m_IsSolid)
38
+  if (!_isSolid)
39
   {
40
     AvrPlcB = AvrLn1 = AvrLn2 = AvrLn3 = NumHuf = Buf60 = 0;
41
     AvrPlc = 0x3500;
42
@@ -391,6 +391,11 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
43
   if (inSize == NULL || outSize == NULL)
44
     return E_INVALIDARG;
45
 
46
+  if (_isSolid && !_solidAllowed)
47
+    return S_FALSE;
48
+
49
+  _solidAllowed = false;
50
+
51
   if (!m_OutWindowStream.Create(kHistorySize))
52
     return E_OUTOFMEMORY;
53
   if (!m_InBitStream.Create(1 << 20))
54
@@ -398,13 +403,13 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
55
 
56
   m_UnpackSize = (Int64)*outSize;
57
   m_OutWindowStream.SetStream(outStream);
58
-  m_OutWindowStream.Init(m_IsSolid);
59
+  m_OutWindowStream.Init(_isSolid);
60
   m_InBitStream.SetStream(inStream);
61
   m_InBitStream.Init();
62
 
63
   // CCoderReleaser coderReleaser(this);
64
   InitData();
65
-  if (!m_IsSolid)
66
+  if (!_isSolid)
67
   {
68
     _errorMode = false;
69
     InitStructures();
70
@@ -475,6 +480,7 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
71
   }
72
   if (m_UnpackSize < 0)
73
     return S_FALSE;
74
+  _solidAllowed = true;
75
   return m_OutWindowStream.Flush();
76
 }
77
 
78
@@ -491,7 +497,7 @@ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
79
 {
80
   if (size < 1)
81
     return E_INVALIDARG;
82
-  m_IsSolid = ((data[0] & 1) != 0);
83
+  _isSolid = ((data[0] & 1) != 0);
84
   return S_OK;
85
 }
86
 
87
diff --git CPP/7zip/Compress/Rar1Decoder.h CPP/7zip/Compress/Rar1Decoder.h
88
index 01b606b..8abb3a3 100644
89
--- CPP/7zip/Compress/Rar1Decoder.h
90
+++ CPP/7zip/Compress/Rar1Decoder.h
91
@@ -38,7 +38,8 @@ public:
92
   UInt32 LastLength;
93
 
94
   Int64 m_UnpackSize;
95
-  bool m_IsSolid;
96
+  bool _isSolid;
97
+  bool _solidAllowed;
98
   bool _errorMode;
99
 
100
   UInt32 ReadBits(int numBits);
101
diff --git CPP/7zip/Compress/Rar2Decoder.cpp CPP/7zip/Compress/Rar2Decoder.cpp
102
index 0580c8d..be8d842 100644
103
--- CPP/7zip/Compress/Rar2Decoder.cpp
104
+++ CPP/7zip/Compress/Rar2Decoder.cpp
105
@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20;
106
 static const UInt32 kWindowReservSize = (1 << 22) + 256;
107
 
108
 CDecoder::CDecoder():
109
-  m_IsSolid(false),
110
+  _isSolid(false),
111
+  _solidAllowed(false),
112
   m_TablesOK(false)
113
 {
114
 }
115
@@ -320,6 +321,10 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
116
   if (inSize == NULL || outSize == NULL)
117
     return E_INVALIDARG;
118
 
119
+  if (_isSolid && !_solidAllowed)
120
+    return S_FALSE;
121
+  _solidAllowed = false;
122
+
123
   if (!m_OutWindowStream.Create(kHistorySize))
124
     return E_OUTOFMEMORY;
125
   if (!m_InBitStream.Create(1 << 20))
126
@@ -330,12 +335,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
127
   UInt64 pos = 0, unPackSize = *outSize;
128
   
129
   m_OutWindowStream.SetStream(outStream);
130
-  m_OutWindowStream.Init(m_IsSolid);
131
+  m_OutWindowStream.Init(_isSolid);
132
   m_InBitStream.SetStream(inStream);
133
   m_InBitStream.Init();
134
 
135
   // CCoderReleaser coderReleaser(this);
136
-  if (!m_IsSolid)
137
+  if (!_isSolid)
138
   {
139
     InitStructures();
140
     if (unPackSize == 0)
141
@@ -343,6 +348,7 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
142
       if (m_InBitStream.GetProcessedSize() + 2 <= m_PackSize) // test it: probably incorrect;
143
         if (!ReadTables())
144
           return S_FALSE;
145
+      _solidAllowed = true;
146
       return S_OK;
147
     }
148
     if (!ReadTables())
149
@@ -386,6 +392,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
150
 
151
   if (!ReadLastTables())
152
     return S_FALSE;
153
+
154
+  _solidAllowed = true;
155
+
156
   return m_OutWindowStream.Flush();
157
 }
158
 
159
@@ -402,7 +411,7 @@ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
160
 {
161
   if (size < 1)
162
     return E_INVALIDARG;
163
-  m_IsSolid = ((data[0] & 1) != 0);
164
+  _isSolid = ((data[0] & 1) != 0);
165
   return S_OK;
166
 }
167
 
168
diff --git CPP/7zip/Compress/Rar2Decoder.h CPP/7zip/Compress/Rar2Decoder.h
169
index 0e9005f..370bce2 100644
170
--- CPP/7zip/Compress/Rar2Decoder.h
171
+++ CPP/7zip/Compress/Rar2Decoder.h
172
@@ -138,7 +138,8 @@ class CDecoder :
173
   Byte m_LastLevels[kMaxTableSize];
174
 
175
   UInt64 m_PackSize;
176
-  bool m_IsSolid;
177
+  bool _isSolid;
178
+  bool _solidAllowed;
179
   bool m_TablesOK;
180
 
181
   void InitStructures();
182
diff --git CPP/7zip/Compress/Rar3Decoder.cpp CPP/7zip/Compress/Rar3Decoder.cpp
183
index 6cb8a6a..7b85833 100644
184
--- CPP/7zip/Compress/Rar3Decoder.cpp
185
+++ CPP/7zip/Compress/Rar3Decoder.cpp
186
@@ -92,7 +92,8 @@ CDecoder::CDecoder():
187
   _writtenFileSize(0),
188
   _vmData(0),
189
   _vmCode(0),
190
-  m_IsSolid(false),
191
+  _isSolid(false),
192
+  _solidAllowed(false),
193
   _errorMode(false)
194
 {
195
   Ppmd7_Construct(&_ppmd);
196
@@ -821,7 +822,7 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
197
 {
198
   _writtenFileSize = 0;
199
   _unsupportedFilter = false;
200
-  if (!m_IsSolid)
201
+  if (!_isSolid)
202
   {
203
     _lzSize = 0;
204
     _winPos = 0;
205
@@ -840,12 +841,15 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
206
   if (_errorMode)
207
     return S_FALSE;
208
 
209
-  if (!m_IsSolid || !TablesRead)
210
+  if (!_isSolid || !TablesRead)
211
   {
212
     bool keepDecompressing;
213
     RINOK(ReadTables(keepDecompressing));
214
     if (!keepDecompressing)
215
+    {
216
+      _solidAllowed = true;
217
       return S_OK;
218
+    }
219
   }
220
 
221
   for (;;)
222
@@ -870,6 +874,9 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
223
     if (!keepDecompressing)
224
       break;
225
   }
226
+
227
+  _solidAllowed = true;
228
+
229
   RINOK(WriteBuf());
230
   UInt64 packSize = m_InBitStream.BitDecoder.GetProcessedSize();
231
   RINOK(progress->SetRatioInfo(&packSize, &_writtenFileSize));
232
@@ -890,6 +897,10 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
233
     if (!inSize)
234
       return E_INVALIDARG;
235
 
236
+    if (_isSolid && !_solidAllowed)
237
+      return S_FALSE;
238
+    _solidAllowed = false;
239
+
240
     if (!_vmData)
241
     {
242
       _vmData = (Byte *)::MidAlloc(kVmDataSizeMax + kVmCodeSizeMax);
243
@@ -928,7 +939,7 @@ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
244
 {
245
   if (size < 1)
246
     return E_INVALIDARG;
247
-  m_IsSolid = ((data[0] & 1) != 0);
248
+  _isSolid = ((data[0] & 1) != 0);
249
   return S_OK;
250
 }
251
 
252
diff --git CPP/7zip/Compress/Rar3Decoder.h CPP/7zip/Compress/Rar3Decoder.h
253
index 2f72d7d..32c8943 100644
254
--- CPP/7zip/Compress/Rar3Decoder.h
255
+++ CPP/7zip/Compress/Rar3Decoder.h
256
@@ -191,7 +191,8 @@ class CDecoder:
257
   CRecordVector<CTempFilter *>  _tempFilters;
258
   UInt32 _lastFilter;
259
 
260
-  bool m_IsSolid;
261
+  bool _isSolid;
262
+  bool _solidAllowed;
263
   bool _errorMode;
264
 
265
   bool _lzMode;
266
diff --git CPP/7zip/Compress/Rar5Decoder.cpp CPP/7zip/Compress/Rar5Decoder.cpp
267
index dc8830f..a826d5a 100644
268
--- CPP/7zip/Compress/Rar5Decoder.cpp
269
+++ CPP/7zip/Compress/Rar5Decoder.cpp
270
@@ -72,6 +72,7 @@ CDecoder::CDecoder():
271
     _writtenFileSize(0),
272
     _dictSizeLog(0),
273
     _isSolid(false),
274
+    _solidAllowed(false),
275
     _wasInit(false),
276
     _inputBuf(NULL)
277
 {
278
@@ -801,7 +802,10 @@ HRESULT CDecoder::CodeReal()
279
   */
280
 
281
   if (res == S_OK)
282
+  {
283
+    _solidAllowed = true;
284
     res = res2;
285
+  }
286
      
287
   if (res == S_OK && _unpackSize_Defined && _writtenFileSize != _unpackSize)
288
     return S_FALSE;
289
@@ -821,6 +825,10 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
290
 {
291
   try
292
   {
293
+    if (_isSolid && !_solidAllowed)
294
+      return S_FALSE;
295
+    _solidAllowed = false;
296
+
297
     if (_dictSizeLog >= sizeof(size_t) * 8)
298
       return E_NOTIMPL;
299
 
300
diff --git CPP/7zip/Compress/Rar5Decoder.h CPP/7zip/Compress/Rar5Decoder.h
301
index b0a4dd1..3db5018 100644
302
--- CPP/7zip/Compress/Rar5Decoder.h
303
+++ CPP/7zip/Compress/Rar5Decoder.h
304
@@ -271,6 +271,7 @@ class CDecoder:
305
   Byte _dictSizeLog;
306
   bool _tableWasFilled;
307
   bool _isSolid;
308
+  bool _solidAllowed;
309
   bool _wasInit;
310
 
311
   UInt32 _reps[kNumReps];
(-)p7zip/files/patch-CVE-2018-5996 (-211 lines)
Lines 1-211 Link Here
1
Obtained from: https://anonscm.debian.org/cgit/users/robert/p7zip-rar.git/tree/debian/patches/06-CVE-2018-5996.patch
2
---
3
From: Robert Luberda <robert@debian.org>
4
Date: Sun, 28 Jan 2018 23:47:40 +0100
5
Subject: CVE-2018-5996
6
7
Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by
8
applying a few changes from 7Zip 18.00-beta.
9
10
Bug-Debian: https://bugs.debian.org/#888314
11
---
12
 CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++----
13
 CPP/7zip/Compress/Rar1Decoder.h   |  1 +
14
 CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++-
15
 CPP/7zip/Compress/Rar2Decoder.h   |  1 +
16
 CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++---
17
 CPP/7zip/Compress/Rar3Decoder.h   |  2 ++
18
 6 files changed, 42 insertions(+), 8 deletions(-)
19
20
--- CPP/7zip/Compress/Rar1Decoder.cpp
21
+++ CPP/7zip/Compress/Rar1Decoder.cpp
22
@@ -29,7 +29,7 @@ public:
23
 };
24
 */
25
 
26
-CDecoder::CDecoder(): m_IsSolid(false) { }
27
+CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { }
28
 
29
 void CDecoder::InitStructures()
30
 {
31
@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
32
   InitData();
33
   if (!m_IsSolid)
34
   {
35
+    _errorMode = false;
36
     InitStructures();
37
     InitHuff();
38
   }
39
+
40
+  if (_errorMode)
41
+    return S_FALSE;
42
+
43
   if (m_UnpackSize > 0)
44
   {
45
     GetFlagsBuf();
46
@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
47
     const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress)
48
 {
49
   try { return CodeReal(inStream, outStream, inSize, outSize, progress); }
50
-  catch(const CInBufferException &e) { return e.ErrorCode; }
51
-  catch(const CLzOutWindowException &e) { return e.ErrorCode; }
52
-  catch(...) { return S_FALSE; }
53
+  catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
54
+  catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; }
55
+  catch(...) { _errorMode = true; return S_FALSE; }
56
 }
57
 
58
 STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
59
--- CPP/7zip/Compress/Rar1Decoder.h
60
+++ CPP/7zip/Compress/Rar1Decoder.h
61
@@ -39,6 +39,7 @@ public:
62
 
63
   Int64 m_UnpackSize;
64
   bool m_IsSolid;
65
+  bool _errorMode;
66
 
67
   UInt32 ReadBits(int numBits);
68
   HRESULT CopyBlock(UInt32 distance, UInt32 len);
69
--- CPP/7zip/Compress/Rar2Decoder.cpp
70
+++ CPP/7zip/Compress/Rar2Decoder.cpp
71
@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20;
72
 static const UInt32 kWindowReservSize = (1 << 22) + 256;
73
 
74
 CDecoder::CDecoder():
75
-  m_IsSolid(false)
76
+  m_IsSolid(false),
77
+  m_TablesOK(false)
78
 {
79
 }
80
 
81
@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBits) { return m_InBitStream.ReadBits(numB
82
 
83
 bool CDecoder::ReadTables(void)
84
 {
85
+  m_TablesOK = false;
86
+
87
   Byte levelLevels[kLevelTableSize];
88
   Byte newLevels[kMaxTableSize];
89
   m_AudioMode = (ReadBits(1) == 1);
90
@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void)
91
   }
92
   
93
   memcpy(m_LastLevels, newLevels, kMaxTableSize);
94
+  m_TablesOK = true;
95
+
96
   return true;
97
 }
98
 
99
@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
100
       return S_FALSE;
101
   }
102
 
103
+  if (!m_TablesOK)
104
+    return S_FALSE;
105
+
106
   UInt64 startPos = m_OutWindowStream.GetProcessedSize();
107
   while (pos < unPackSize)
108
   {
109
--- CPP/7zip/Compress/Rar2Decoder.h
110
+++ CPP/7zip/Compress/Rar2Decoder.h
111
@@ -139,6 +139,7 @@ class CDecoder :
112
 
113
   UInt64 m_PackSize;
114
   bool m_IsSolid;
115
+  bool m_TablesOK;
116
 
117
   void InitStructures();
118
   UInt32 ReadBits(unsigned numBits);
119
--- CPP/7zip/Compress/Rar3Decoder.cpp
120
+++ CPP/7zip/Compress/Rar3Decoder.cpp
121
@@ -92,7 +92,8 @@ CDecoder::CDecoder():
122
   _writtenFileSize(0),
123
   _vmData(0),
124
   _vmCode(0),
125
-  m_IsSolid(false)
126
+  m_IsSolid(false),
127
+  _errorMode(false)
128
 {
129
   Ppmd7_Construct(&_ppmd);
130
 }
131
@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
132
     return InitPPM();
133
   }
134
 
135
+  TablesRead = false;
136
+  TablesOK = false;
137
+
138
   _lzMode = true;
139
   PrevAlignBits = 0;
140
   PrevAlignCount = 0;
141
@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
142
       }
143
     }
144
   }
145
+  if (InputEofError())
146
+    return S_FALSE;
147
+
148
   TablesRead = true;
149
 
150
   // original code has check here:
151
@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
152
   RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize]));
153
 
154
   memcpy(m_LastLevels, newLevels, kTablesSizesSum);
155
+
156
+  TablesOK = true;
157
+
158
   return S_OK;
159
 }
160
 
161
@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
162
     PpmEscChar = 2;
163
     PpmError = true;
164
     InitFilters();
165
+    _errorMode = false;
166
   }
167
+
168
+  if (_errorMode)
169
+    return S_FALSE;
170
+
171
   if (!m_IsSolid || !TablesRead)
172
   {
173
     bool keepDecompressing;
174
@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
175
     bool keepDecompressing;
176
     if (_lzMode)
177
     {
178
+      if (!TablesOK)
179
+        return S_FALSE;
180
       RINOK(DecodeLZ(keepDecompressing))
181
     }
182
     else
183
@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
184
     _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1;
185
     return CodeReal(progress);
186
   }
187
-  catch(const CInBufferException &e)  { return e.ErrorCode; }
188
-  catch(...) { return S_FALSE; }
189
+  catch(const CInBufferException &e)  { _errorMode = true; return e.ErrorCode; }
190
+  catch(...) { _errorMode = true; return S_FALSE; }
191
   // CNewException is possible here. But probably CNewException is caused
192
   // by error in data stream.
193
 }
194
--- CPP/7zip/Compress/Rar3Decoder.h
195
+++ CPP/7zip/Compress/Rar3Decoder.h
196
@@ -192,6 +192,7 @@ class CDecoder:
197
   UInt32 _lastFilter;
198
 
199
   bool m_IsSolid;
200
+  bool _errorMode;
201
 
202
   bool _lzMode;
203
   bool _unsupportedFilter;
204
@@ -200,6 +201,7 @@ class CDecoder:
205
   UInt32 PrevAlignCount;
206
 
207
   bool TablesRead;
208
+  bool TablesOK;
209
 
210
   CPpmd7 _ppmd;
211
   int PpmEscChar;
(-)p7zip-codec-rar/Makefile (-1 / +1 lines)
Lines 1-7 Link Here
1
# $FreeBSD$
1
# $FreeBSD$
2
2
3
PKGNAMESUFFIX=	-codec-rar
3
PKGNAMESUFFIX=	-codec-rar
4
PORTREVISION=	2
4
PORTREVISION=	3
5
5
6
COMMENT=	RAR decoder codec for p7zip
6
COMMENT=	RAR decoder codec for p7zip
7
7

Return to bug 252810