Commit 5b24ba6a authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso

archive_strncat_l(): allocate and do not convert if length == 0 (CVE-2016-10209)

Closes: #859456
parent 17d74cee
From: Martin Matuska <martin@matuska.org>
Date: Mon, 26 Dec 2016 22:23:24 +0100
Subject: archive_strncat_l(): allocate and do not convert if length == 0
Origin: https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0
Bug-Debian: https://bugs.debian.org/859456
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10209
Bug: https://github.com/libarchive/libarchive/issues/842
This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set
aes_set = AES_SET_MBS with aes_mbs.s == NULL.
Resolves possible null-pointer dereference reported by OSS-Fuzz.
Reported-By: OSS-Fuzz issue 286
---
libarchive/archive_string.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 645570b2..bbb1e458 100644
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
struct archive_string_conv *sc)
{
const void *s;
- size_t length;
+ size_t length = 0;
int i, r = 0, r2;
+ if (_p != NULL && n > 0) {
+ if (sc != NULL && (sc->flag & SCONV_FROM_UTF16))
+ length = utf16nbytes(_p, n);
+ else
+ length = mbsnbytes(_p, n);
+ }
+
/* We must allocate memory even if there is no data for conversion
* or copy. This simulates archive_string_append behavior. */
- if (_p == NULL || n == 0) {
+ if (length == 0) {
int tn = 1;
if (sc != NULL && (sc->flag & SCONV_TO_UTF16))
tn = 2;
@@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
* If sc is NULL, we just make a copy.
*/
if (sc == NULL) {
- length = mbsnbytes(_p, n);
if (archive_string_append(as, _p, length) == NULL)
return (-1);/* No memory */
return (0);
}
- if (sc->flag & SCONV_FROM_UTF16)
- length = utf16nbytes(_p, n);
- else
- length = mbsnbytes(_p, n);
s = _p;
i = 0;
if (sc->nconverter > 1) {
--
2.14.1
Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
archive_strncat_l-allocate-and-do-not-convert-if-len.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment