Fix CVE-2024-26256 (libarchive#2269)

Opening a manipulated RAR archive could lead to remote code execution

Security: CVE-2024-26256
Co-authored-by: Timothy Lyanguzov <[email protected]>

Author: terrynini

libarchive/archive_read_support_format_rar.c

@@ -3428,6 +3428,12 @@ run_filters(struct archive_read *a)
       return 0;
   }
 
+  if (filter->blocklength > VM_MEMORY_SIZE)
+  {
+    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, "Bad RAR file data");
+    return 0;
+  }
+
   ret = copy_from_lzss_window(a, filters->vm->memory, start, filter->blocklength);
   if (ret != ARCHIVE_OK)
     return 0;