7-Zip Memory Corruption Vulnerability in RAR5 Handler Leading to Denial-of-Service

A heap-based buffer overflow vulnerability has been identified in 7-Zip versions prior to 25.0.0. The issue arises in the RAR5 handler, where the decoder writes zeroes outside the allocated heap buffer. This memory corruption can cause a denial-of-service condition. The vulnerability is triggered when the RAR5 decoder attempts to recover from corrupted items by filling them with zeroes, but a miscalculation allows the zeroes to be written beyond the buffer's limits.

Impact

Exploitation of this vulnerability leads to memory corruption, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by compiling 7-Zip with AddressSanitizer enabled, and then extracting a specially crafted RAR5 file that triggers the heap buffer overflow. The AddressSanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to 7-Zip version 25.0.0 or later, where this vulnerability has been fixed.