247de54352
Some checks failed
Build / Linux (push) Has been cancelled
Build / Windows (MSVC) (push) Has been cancelled
Build / macOS (push) Has been cancelled
Build / libarchive plugin (push) Has been cancelled
Build / DOS (DJGPP) (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy (push) Has been cancelled
A truncated or corrupt archive could overrun memory during decode. decompress_block guarded its match-copy length with an assert that NDEBUG compiles out, so a short bits_get that underflowed the length would overrun the 64KB window in release builds. Replace the assert with a runtime check: an out-of-range length ends the block with UC2_Damaged before the copy, and the existing checksum and size validation then reports the archive as damaged. decompress_cdir bound the walkable range to the buffer allocation rather than the bytes actually decompressed, so a damaged directory that happened to match the 16-bit checksum could be parsed into uninitialised heap; bound the range to the decompressed length. The CLI also leaked the archive handle and FILE on the directory-read and integrity-test error paths; close both. A prefix-sweep fuzzer drove these fixes. It still finds a rare, heap-state-dependent out-of-bounds read in the directory-skip path that these changes do not fully close; that and a stable fuzz harness are tracked separately.