#2492 Header Error with 7z but WinRar has no problem unzipping

[Spencer Flitter]

7zip version: 24.07 and below

Windows Version: 11 x64

Bug: "Header Error; There are data after the end of archive"

Input: Malicious rar file hosted here: https://www.virustotal.com/gui/file/c49452d1135b6c1d5e61ac7986919492f11b7bc04659f85b0f02b24a24f06cdc

Problem: WinRar has no problem unzipping this but 7z does.

[Igor Pavlov]

I have not downloaded it.
Does 7-zip extract all files from that archive?

"There are data after the end of archive" message is not bug.
It's feature that shows important information about archive to user.
So if 7-Zip sees unused data after the end of archivem, 7-zip shows error message. So user will know about that problem with archive.

[Spencer Flitter]

Hey Igor, thanks for the quick response!

7zip does not extract the files from the archive. There is one cmd file inside of it (that is the malcious part) and it extracts properly with winrar but 7z does not extract it. I'm assuming that since "There are data after the end of archive" is just a warning that the "Header Error" is what's causing the crash and unsuccessful extraction?

[Igor Pavlov]

So is it empty, if you open archive without extraction?
Then probably 7-zip sees some error in header of file.

[Dmitry Glavatskikh]

Yeah, the header of the local file is damaged.
Someone tried to spoof the executable extension (.cmd -> .png), but didn't fix the header checksum.
That's why 7-Zip refuses to open this archive.
BUT there is also a "QuickOpen" record with the correct copy of the header.
I think WinRAR prefers to use QO if it is available.
I've attached a synthetic example.

[Igor Pavlov]

7-Zip doesn't use RAR's QuickOpen now.
And 7-Zip doesn't provide full compatibility with WinRAR for incorrect archives.