diff options
author | Denys Vlasenko | 2018-02-06 17:39:45 +0100 |
---|---|---|
committer | Denys Vlasenko | 2018-02-06 17:39:45 +0100 |
commit | 0a90960f446ebaf062244afbc626546b14689e0a (patch) | |
tree | 7702e80a14d2505407b0050556641e6a521e40d6 | |
parent | 8d943175ceda0b5195a5956dadf7bd2c174df99f (diff) | |
download | busybox-0a90960f446ebaf062244afbc626546b14689e0a.zip busybox-0a90960f446ebaf062244afbc626546b14689e0a.tar.gz |
ar: hopefully fix out-of-bounds read in get_header_ar()
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | archival/libarchive/get_header_ar.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c index 1809ec3..93e071c 100644 --- a/archival/libarchive/get_header_ar.c +++ b/archival/libarchive/get_header_ar.c @@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle) */ ar_long_name_size = size; free(ar_long_names); - ar_long_names = xmalloc(size); + ar_long_names = xzalloc(size + 1); xread(archive_handle->src_fd, ar_long_names, size); archive_handle->offset += size; /* Return next header */ @@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle) unsigned long_offset; /* The number after the '/' indicates the offset in the ar data section - * (saved in ar_long_names) that conatains the real filename */ + * (saved in ar_long_names) that contains the real filename */ long_offset = read_num(&ar.formatted.name[1], 10, sizeof(ar.formatted.name) - 1); if (long_offset >= ar_long_name_size) { |