In Rar2Decoder.cpp there's no check for boundaries of kLenStart and kLenDirectBits in lines 258 and 259. I have rar archive which crashes at line 258 due to sym = 0xfffffef1.
most likely this is happening due to m_MainDecoder.DecodeSymbol() returns 0xFFFFFFFF from UInt32 Decode(TBitDecoder * bitStream)
See HuffmanDecoder.h line 148.
And then number -= kMatchNumber;
gives UInt32 overflow. I.e. sym = 0xFFFFFFFF - kMatchNumber (which is 0x10E) => 0xFFFFFEF1 => accessing data behind boundaries of kLenStart and kLenDirectBits
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
most likely this is happening due to m_MainDecoder.DecodeSymbol() returns 0xFFFFFFFF from
UInt32 Decode(TBitDecoder * bitStream)
See HuffmanDecoder.h line 148.
And then
number -= kMatchNumber;
gives UInt32 overflow. I.e. sym = 0xFFFFFFFF - kMatchNumber (which is 0x10E) => 0xFFFFFEF1 => accessing data behind boundaries of kLenStart and kLenDirectBits
Yes, that bug is already fixed in my code (that is not released still).
But thanks for report anyway!