aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2018-02-06 17:39:45 +0100
committerDenys Vlasenko <vda.linux@googlemail.com>2018-02-06 17:39:45 +0100
commit0a90960f446ebaf062244afbc626546b14689e0a (patch)
tree7702e80a14d2505407b0050556641e6a521e40d6
parent8d943175ceda0b5195a5956dadf7bd2c174df99f (diff)
downloadbusybox-0a90960f446ebaf062244afbc626546b14689e0a.tar.gz
ar: hopefully fix out-of-bounds read in get_header_ar()
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--archival/libarchive/get_header_ar.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c
index 1809ec396..93e071c9f 100644
--- a/archival/libarchive/get_header_ar.c
+++ b/archival/libarchive/get_header_ar.c
@@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
*/
ar_long_name_size = size;
free(ar_long_names);
- ar_long_names = xmalloc(size);
+ ar_long_names = xzalloc(size + 1);
xread(archive_handle->src_fd, ar_long_names, size);
archive_handle->offset += size;
/* Return next header */
@@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
unsigned long_offset;
/* The number after the '/' indicates the offset in the ar data section
- * (saved in ar_long_names) that conatains the real filename */
+ * (saved in ar_long_names) that contains the real filename */
long_offset = read_num(&ar.formatted.name[1], 10,
sizeof(ar.formatted.name) - 1);
if (long_offset >= ar_long_name_size) {