emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ar: hopefully fix out-of-bounds read in get_header_ar()

Browse Source 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2018-02-06 17:39:45 +01:00
parent 8d943175ce
commit 0a90960f44
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
archival/libarchive/get_header_ar.c
View File

@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
*/ */
ar_long_name_size = size; ar_long_name_size = size;
free(ar_long_names); free(ar_long_names);
ar_long_names = xmalloc(size); ar_long_names = xzalloc(size + 1);
xread(archive_handle->src_fd, ar_long_names, size); xread(archive_handle->src_fd, ar_long_names, size);
archive_handle->offset += size; archive_handle->offset += size;
/* Return next header */ /* Return next header */
@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
unsigned long_offset; unsigned long_offset;
/* The number after the '/' indicates the offset in the ar data section /* The number after the '/' indicates the offset in the ar data section
* (saved in ar_long_names) that conatains the real filename */ * (saved in ar_long_names) that contains the real filename */
long_offset = read_num(&ar.formatted.name[1], 10, long_offset = read_num(&ar.formatted.name[1], 10,
sizeof(ar.formatted.name) - 1); sizeof(ar.formatted.name) - 1);
if (long_offset >= ar_long_name_size) { if (long_offset >= ar_long_name_size) {