Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption

Posted by deepcore on December 15, 2015 – 9:17 pm

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. The researcher observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. Many other antiviruses may be affected, and presumably WinRAR and other archivers.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Apple Security Advisory 2015-12-11-1 Avast Integer Overflow Verifying NumFonts In TTC Header »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL