Update to UnRAR v6.2.12

libclamunrar/arcread.cpp

@@ -991,7 +991,7 @@ void Archive::ProcessExtra50(RawRead *Raw,size_t ExtraSize,const BaseBlock *bb)
             if ((Flags & MHEXTRA_METADATA_NAME)!=0)
             {
               uint64 NameSize=Raw->GetV();
-              if (NameSize<0x10000) // Prevent excessive allocation.
+              if (NameSize>0 && NameSize<0x10000) // Prevent excessive allocation.
               {
                 std::vector<char> NameU((size_t)NameSize); // UTF-8 name.
                 Raw->GetB(&NameU[0],(size_t)NameSize);

libclamunrar/crypt5.cpp

@@ -133,7 +133,15 @@ void CryptData::SetKey50(bool Encrypt,SecPassword *Password,const wchar *PwdW,
      byte *PswCheck)
 {
   if (Lg2Cnt>CRYPT5_KDF_LG2_COUNT_MAX)
+  {
+    // Initialize these fields to prevent uninitialized data access warnings
+    // by analyzing tools when accessing returned data.
+    if (HashKey!=nullptr)
+      memset(HashKey,0,SHA256_DIGEST_SIZE);
+    if (PswCheck!=nullptr)
+      memset(PswCheck,0,SIZE_PSWCHECK);
     return;
+  }
 
   byte Key[32],PswCheckValue[SHA256_DIGEST_SIZE],HashKeyValue[SHA256_DIGEST_SIZE];
   bool Found=false;

libclamunrar/dll.cpp

@@ -242,10 +242,10 @@ int PASCAL RARReadHeaderEx(HANDLE hArcData,struct RARHeaderDataEx *D)
       else
         return Code;
     }
-    wcsncpy(D->ArcNameW,Data->Arc.FileName,ASIZE(D->ArcNameW));
+    wcsncpyz(D->ArcNameW,Data->Arc.FileName,ASIZE(D->ArcNameW));
     WideToChar(D->ArcNameW,D->ArcName,ASIZE(D->ArcName));
 
-    wcsncpy(D->FileNameW,hd->FileName,ASIZE(D->FileNameW));
+    wcsncpyz(D->FileNameW,hd->FileName,ASIZE(D->FileNameW));
     WideToChar(D->FileNameW,D->FileName,ASIZE(D->FileName));
 #ifdef _WIN_ALL
     CharToOemA(D->FileName,D->FileName);
@@ -329,7 +329,7 @@ int PASCAL ProcessFile(HANDLE hArcData,int Operation,char *DestPath,char *DestNa
   {
     Data->Cmd.DllError=0;
     if (Data->OpenMode==RAR_OM_LIST || Data->OpenMode==RAR_OM_LIST_INCSPLIT ||
-        Operation==RAR_SKIP) // && !Data->Arc.Solid)
+        Operation==RAR_SKIP && !Data->Arc.Solid)
     {
       if (Data->Arc.Volume && Data->Arc.GetHeaderType()==HEAD_FILE &&
           Data->Arc.FileHead.SplitAfter)
@@ -377,7 +377,7 @@ int PASCAL ProcessFile(HANDLE hArcData,int Operation,char *DestPath,char *DestNa
 
       if (DestPathW!=NULL)
       {
-        wcsncpy(Data->Cmd.ExtrPath,DestPathW,ASIZE(Data->Cmd.ExtrPath));
+        wcsncpyz(Data->Cmd.ExtrPath,DestPathW,ASIZE(Data->Cmd.ExtrPath));
         AddEndSlash(Data->Cmd.ExtrPath,ASIZE(Data->Cmd.ExtrPath));
       }
 

libclamunrar/dll.rc

@@ -2,8 +2,8 @@
 #include <commctrl.h>
 
 VS_VERSION_INFO VERSIONINFO
-FILEVERSION 6, 23, 100, 944
-PRODUCTVERSION 6, 23, 100, 944
+FILEVERSION 6, 24, 100, 1007
+PRODUCTVERSION 6, 24, 100, 1007
 FILEOS VOS__WINDOWS32
 FILETYPE VFT_APP
 {
@@ -14,8 +14,8 @@ FILETYPE VFT_APP
       VALUE "CompanyName", "Alexander Roshal\0"
       VALUE "ProductName", "RAR decompression library\0"
       VALUE "FileDescription", "RAR decompression library\0"
-      VALUE "FileVersion", "6.23.0\0"
-      VALUE "ProductVersion", "6.23.0\0"
+      VALUE "FileVersion", "6.24.0\0"
+      VALUE "ProductVersion", "6.24.0\0"
       VALUE "LegalCopyright", "Copyright � Alexander Roshal 1993-2023\0"
       VALUE "OriginalFilename", "Unrar.dll\0"
     }

libclamunrar/extinfo.cpp

@@ -80,10 +80,13 @@ static int CalcAllowedDepth(const wchar *Name)
       bool Dot2=Name[1]=='.' && Name[2]=='.' && (IsPathDiv(Name[3]) || Name[3]==0);
       if (!Dot && !Dot2)
         AllowedDepth++;
+      else
+        if (Dot2)
+          AllowedDepth--;
     }
     Name++;
   }
-  return AllowedDepth;
+  return AllowedDepth < 0 ? 0 : AllowedDepth;
 }
 
 
@@ -106,68 +109,6 @@ static bool LinkInPath(const wchar *Name)
 }
 
 
-// Delete symbolic links in file path, if any, and replace them by directories.
-// Prevents extracting files outside of destination folder with symlink chains.
-bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring &LastChecked)
-{
-  // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like
-  // "lnk1/../dir", but converts the path to "dir". In Unix we need to call
-  // this function to prevent placing unpacked files outside of destination
-  // folder if previously we unpacked "dir/lnk1" -> "..",
-  // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt".
-  // We may still need this function to prevent abusing symlink chains
-  // in link source path if we remove detection of such chains
-  // in IsRelativeSymlinkSafe. This function seems to make other symlink
-  // related safety checks redundant, but for now we prefer to keep them too.
-  //
-  // 2022.12.01: the performance impact is minimized after adding the check
-  // against the previous path and enabling this verification only after
-  // extracting a symlink with ".." in target. So we enabled it for Windows
-  // as well for extra safety.
-//#ifdef _UNIX
-  wchar Path[NM];
-  if (wcslen(SrcName)>=ASIZE(Path))
-    return false;  // It should not be that long, skip.
-  wcsncpyz(Path,SrcName,ASIZE(Path));
-
-  size_t SkipLength=wcslen(SkipPart);
-
-  if (SkipLength>0 && wcsncmp(Path,SkipPart,SkipLength)!=0)
-    SkipLength=0; // Parameter validation, not really needed now.
-
-  // Do not check parts already checked in previous path to improve performance.
-  for (uint I=0;Path[I]!=0 && I<LastChecked.size() && Path[I]==LastChecked[I];I++)
-    if (IsPathDiv(Path[I]) && I>SkipLength)
-      SkipLength=I;
-
-  wchar *Name=Path;
-  if (SkipLength>0)
-  {
-    // Avoid converting symlinks in destination path part specified by user.
-    Name+=SkipLength;
-    while (IsPathDiv(*Name))
-      Name++;
-  }
-
-  for (wchar *s=Path+wcslen(Path)-1;s>Name;s--)
-    if (IsPathDiv(*s))
-    {
-      *s=0;
-      FindData FD;
-      if (FindFile::FastFind(Path,&FD,true) && FD.IsLink)
-#ifdef _WIN_ALL
-        if (!DelDir(Path))
-#else
-        if (!DelFile(Path))
-#endif
-          return false; // Couldn't delete the symlink to replace it with directory.
-    }
-  LastChecked=SrcName;
-//#endif
-  return true;
-}
-
-
 bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName)
 {
   // Catch root dir based /path/file paths also as stuff like \\?\.

libclamunrar/extinfo.hpp

@@ -1,7 +1,6 @@
 #ifndef _RAR_EXTINFO_
 #define _RAR_EXTINFO_
 
-bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,std::wstring &LastChecked);
 bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName);
 bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName,bool &UpLink);
 #ifdef _UNIX