← All libraries
Archive · C++
How to fuzz UnRAR
RAR's proprietary format means limited independent auditing — fuzzing fills the gap.
UnRAR handles a complex proprietary format with multiple compression algorithms (RAR4, RAR5, BLAKE2 checksums) and has a history of path traversal and heap corruption vulnerabilities exploited in file-manager auto-preview contexts. Its closed-origin heritage means community fuzzing provides rare independent security coverage.
Common bug classes
- •Heap buffer overflow in RAR5 solid archive block decoder
- •Path traversal via crafted unicode filename normalization
- •Integer overflow in archive comment block length field
- •Out-of-bounds write in PPMd compression model update
- •Use-after-free in multi-volume archive reassembly
Recommended setup
Fuzzers
- → AFL++
- → libFuzzer
Sanitizers
- → ASan
- → UBSan
Harness scaffold
#include <stdint.h>
#include <stddef.h>
/* UnRAR exposes a C API via dll/dll.hpp in the open-source drop */
#include <unrar/dll.hpp>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
RAROpenArchiveDataEx arc = {};
arc.ArcName = nullptr;
arc.ArcNameW = nullptr;
arc.OpenMode = RAR_OM_EXTRACT;
arc.CmtBuf = nullptr;
/* Feed from memory via callback — stub shows structure */
(void)data; (void)size;
return 0;
}Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.
Notable CVEs found by fuzzing
- → CVE-2022-30333
Push the harness above + a Dockerfile. First month 50% off.