summaryrefslogtreecommitdiff
path: root/media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch')
-rw-r--r--media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch b/media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch
new file mode 100644
index 000000000000..95644d6921e7
--- /dev/null
+++ b/media-tv/kodi/files/kodi-17.3-unrar-vulnerability.patch
@@ -0,0 +1,45 @@
+See https://trac.kodi.tv/ticket/17510
+diff --git a/lib/UnrarXLib/rarvm.cpp b/lib/UnrarXLib/rarvm.cpp
+index 901c35dcb4..42df0a0110 100644
+--- a/lib/UnrarXLib/rarvm.cpp
++++ b/lib/UnrarXLib/rarvm.cpp
+@@ -873,14 +873,16 @@ void RarVM::ExecuteStandardFilter(VM_StandardFilters FilterType)
+ break;
+ case VMSF_DELTA:
+ {
+- int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+- SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+- if (DataSize>=VM_GLOBALMEMADDR/2)
+- break;
+- for (int CurChannel=0;CurChannel<Channels;CurChannel++)
++ uint DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
++ if (DataSize>VM_MEMSIZE/2 || Channels>MAX3_UNPACK_CHANNELS || Channels==0)
++ break;
++
++ // Bytes from same channels are grouped to continual data blocks,
++ // so we need to place them back to their interleaving positions.
++ for (uint CurChannel=0;CurChannel<Channels;CurChannel++)
+ {
+ byte PrevByte=0;
+- for (int DestPos=DataSize+CurChannel;DestPos<Border;DestPos+=Channels)
++ for (uint DestPos=DataSize+CurChannel;DestPos<Border;DestPos+=Channels)
+ Mem[DestPos]=(PrevByte-=Mem[SrcPos++]);
+ }
+ }
+diff --git a/lib/UnrarXLib/unpack.hpp b/lib/UnrarXLib/unpack.hpp
+index 83fb0f0254..36ac30d181 100644
+--- a/lib/UnrarXLib/unpack.hpp
++++ b/lib/UnrarXLib/unpack.hpp
+@@ -1,6 +1,12 @@
+ #ifndef _RAR_UNPACK_
+ #define _RAR_UNPACK_
+
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS 1024
++
+ enum BLOCK_TYPES {BLOCK_LZ,BLOCK_PPM};
+
+ struct Decode
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 08:53:32 +0000