libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1984647] Created mingw-libarchive tracking bugs for this issue: Affects: fedora-all [bug 1984648]
This appears to not have been reported upstream. Attaching a patch that adds the test against the first upstream affected commit (47bb8187). Running that test with asan results in UAF .. but the UAF region was allocated by the previous test, so it looks like something not initialized properly when reading the reproducer.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-36976