During a fuzzing session I discovered two cases where a buffer overflow is triggered. The problem lies in header.c:797-800 and header.c:913-916. The header_size is determined from the get_byte() function and the returned value is used in:
header_size + 2 - COMMON_HEADER_SIZE
to determine the elements' size in fread(). If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 - 21) = 19 then the size parameter is overflowed and a buffer overflow occurs in fread.
header_size is determined from the first byte of the lha archive header.
During a fuzzing session I discovered two cases where a buffer overflow is triggered. The problem lies in header.c:797-800 and header.c:913-916. The header_size is determined from the get_byte() function and the returned value is used in:
header_size + 2 - COMMON_HEADER_SIZE
to determine the elements' size in fread(). If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 - 21) = 19 then the size parameter is overflowed and a buffer overflow occurs in fread. header_size is determined from the first byte of the lha archive header.