| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| typos.patch | Correct some typographical errors. | Peter Pentchev <roam@ringlet.net> | yes | 2022-03-29 | ||
| fix-OOB-in-rar-delta-filter-2148.patch | fix: OOB in rar delta filter (#2148) Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. Since `dst` won't move in this function, and we are only increasing `src` position, this check should be enough. It should be safe to early return because this function does not allocate resources. |
Wei-Cheng Pan <legnaleurc@gmail.com> | no | https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 | 2024-04-29 | |
| fix-OOB-in-rar-audio-filter-2149.patch | fix: OOB in rar audio filter (#2149) This patch ensures that `src` won't move ahead of `dst`, so `src` will not OOB. Similar situation like in a1cb648. |
Wei-Cheng Pan <legnaleurc@gmail.com> | no | https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b | 2024-04-29 | |
| rar4-reader-protect-copy_from_lzss_window_to_unp-217.patch | rar4 reader: protect copy_from_lzss_window_to_unp() (#2172) copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where both of its callers were holding a `size_t`. A lzss opcode chain could be constructed that resulted in a negative copy length, which when passed into memcpy would result in a very, very large positive number. Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to properly bounds-check length. In addition, this patch also ensures that `length` is not itself larger than the destination buffer. |
"Dustin L. Howett" <dustin@howett.net> | yes | debian upstream | https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1 | 2024-05-09 |