From 708e60ea4e16afb1d85da60dd73cb374a987653d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <hanno@hboeck.de>
Date: Thu, 19 Nov 2015 20:03:10 +0100
Subject: [PATCH 1/1] dpkg-deb: Fix off-by-one write access on ctrllenbuf
 variable

This affects old format .deb packages.

CVE: CVE-2015-0860
Warned-by: afl
Signed-off-by: Guillem Jover <guillem@debian.org>

Upstream-Status: Backport

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 dpkg-deb/extract.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index 5a9587a..e39fb35 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -247,7 +247,7 @@ extracthalf(const char *debar, const char *dir,
     if (errstr)
       ohshit(_("archive has invalid format version: %s"), errstr);
 
-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
     if (r < 0)
       read_fail(r, debar, _("archive control member size"));
     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
-- 
1.9.1