blob: e85fec40aaf803f32084832b69f56b940ff1ff3c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
libarchive-3.3.2: Fix CVE-2017-14166
[No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935
archive_read_support_format_xar: heap-based buffer overflow in xml_data
Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71]
CVE: CVE-2017-14166
Bug: 935
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
index 7a22beb..93eeacc 100644
--- a/libarchive/archive_read_support_format_xar.c
+++ b/libarchive/archive_read_support_format_xar.c
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
uint64_t l;
int digit;
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
digit = *p - '0';
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
{
int64_t l;
int digit;
-
+
+ if (char_cnt == 0)
+ return (0);
+
l = 0;
while (char_cnt-- > 0) {
if (*p >= '0' && *p <= '7')
|
