From 0a90960f446ebaf062244afbc626546b14689e0a Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Tue, 6 Feb 2018 17:39:45 +0100
Subject: ar: hopefully fix out-of-bounds read in get_header_ar()

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 archival/libarchive/get_header_ar.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'archival')

diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c
index 1809ec396..93e071c9f 100644
--- a/archival/libarchive/get_header_ar.c
+++ b/archival/libarchive/get_header_ar.c
@@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
 			 */
 			ar_long_name_size = size;
 			free(ar_long_names);
-			ar_long_names = xmalloc(size);
+			ar_long_names = xzalloc(size + 1);
 			xread(archive_handle->src_fd, ar_long_names, size);
 			archive_handle->offset += size;
 			/* Return next header */
@@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle)
 		unsigned long_offset;
 
 		/* The number after the '/' indicates the offset in the ar data section
-		 * (saved in ar_long_names) that conatains the real filename */
+		 * (saved in ar_long_names) that contains the real filename */
 		long_offset = read_num(&ar.formatted.name[1], 10,
 				       sizeof(ar.formatted.name) - 1);
 		if (long_offset >= ar_long_name_size) {
-- 
cgit v1.2.3