Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | libarchive-3.3.2: Fix CVE-2017-14166 |
| 2 | |
| 3 | [No upstream tracking] -- https://github.com/libarchive/libarchive/pull/935 |
| 4 | |
| 5 | archive_read_support_format_xar: heap-based buffer overflow in xml_data |
| 6 | |
| 7 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71] |
| 8 | CVE: CVE-2017-14166 |
| 9 | Bug: 935 |
| 10 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 11 | |
| 12 | diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c |
| 13 | index 7a22beb..93eeacc 100644 |
| 14 | --- a/libarchive/archive_read_support_format_xar.c |
| 15 | +++ b/libarchive/archive_read_support_format_xar.c |
| 16 | @@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) |
| 17 | uint64_t l; |
| 18 | int digit; |
| 19 | |
| 20 | + if (char_cnt == 0) |
| 21 | + return (0); |
| 22 | + |
| 23 | l = 0; |
| 24 | digit = *p - '0'; |
| 25 | while (digit >= 0 && digit < 10 && char_cnt-- > 0) { |
| 26 | @@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) |
| 27 | { |
| 28 | int64_t l; |
| 29 | int digit; |
| 30 | - |
| 31 | + |
| 32 | + if (char_cnt == 0) |
| 33 | + return (0); |
| 34 | + |
| 35 | l = 0; |
| 36 | while (char_cnt-- > 0) { |
| 37 | if (*p >= '0' && *p <= '7') |