ar: hopefully fix out-of-bounds read in get_header_ar()

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2018-02-06 17:39:45 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2018-02-06 17:39:45 +0100
commit: 0a90960f446ebaf062244afbc626546b14689e0a (patch)
tree: 7702e80a14d2505407b0050556641e6a521e40d6
parent: 8d943175ceda0b5195a5956dadf7bd2c174df99f (diff)
download: busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.tar.gz
busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.tar.bz2
busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c
index 1809ec396..93e071c9f 100644
--- a/archival/libarchive/get_header_ar.c
+++ b/archival/libarchive/get_header_ar.c
@@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
                         */
                        ar_long_name_size = size;
                        free(ar_long_names);
-                        ar_long_names = xmalloc(size);
+                        ar_long_names = xzalloc(size + 1);
                        xread(archive_handle->src_fd, ar_long_names, size);
                        archive_handle->offset += size;
                        /* Return next header */
@@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
                unsigned long_offset;
                /* The number after the '/' indicates the offset in the ar data section
-                 * (saved in ar_long_names) that conatains the real filename */
+                 * (saved in ar_long_names) that contains the real filename */
                long_offset = read_num(&ar.formatted.name[1], 10,
                                       sizeof(ar.formatted.name) - 1);
                if (long_offset >= ar_long_name_size) {
author	Denys Vlasenko <vda.linux@googlemail.com>	2018-02-06 17:39:45 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2018-02-06 17:39:45 +0100
commit	0a90960f446ebaf062244afbc626546b14689e0a (patch)
tree	7702e80a14d2505407b0050556641e6a521e40d6
parent	8d943175ceda0b5195a5956dadf7bd2c174df99f (diff)
download	busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.tar.gz busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.tar.bz2 busybox-w32-0a90960f446ebaf062244afbc626546b14689e0a.zip

diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c index 1809ec396..93e071c9f 100644 --- a/archival/libarchive/get_header_ar.c +++ b/archival/libarchive/get_header_ar.c
@@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
83	*/	83	*/
84	ar_long_name_size = size;	84	ar_long_name_size = size;
85	free(ar_long_names);	85	free(ar_long_names);
86	ar_long_names = xmalloc(size);	86	ar_long_names = xzalloc(size + 1);
87	xread(archive_handle->src_fd, ar_long_names, size);	87	xread(archive_handle->src_fd, ar_long_names, size);
88	archive_handle->offset += size;	88	archive_handle->offset += size;
89	/* Return next header */	89	/* Return next header */
@@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
107	unsigned long_offset;	107	unsigned long_offset;
108		108
109	/* The number after the '/' indicates the offset in the ar data section	109	/* The number after the '/' indicates the offset in the ar data section
110	* (saved in ar_long_names) that conatains the real filename */	110	* (saved in ar_long_names) that contains the real filename */
111	long_offset = read_num(&ar.formatted.name[1], 10,	111	long_offset = read_num(&ar.formatted.name[1], 10,
112	sizeof(ar.formatted.name) - 1);	112	sizeof(ar.formatted.name) - 1);
113	if (long_offset >= ar_long_name_size) {	113	if (long_offset >= ar_long_name_size) {