Overview

File CVE-2015-8921.patch of Package libarchive.9088

commit 1cbc76faffb79a99c6009a1816736f73b4a3632a
Author: Tim Kientzle <kientzle@acm.org>
Date:   Sat Feb 7 12:59:39 2015 -0800

    Issue 404: Read past end of string parsing fflags

Index: libarchive-3.1.2/libarchive/archive_entry.c
===================================================================
--- libarchive-3.1.2.orig/libarchive/archive_entry.c
+++ libarchive-3.1.2/libarchive/archive_entry.c
@@ -121,15 +121,6 @@ static const wchar_t	*ae_wcstofflags(con
 static const char	*ae_strtofflags(const char *stringp,
 		    unsigned long *setp, unsigned long *clrp);
 
-#ifndef HAVE_WCSCPY
-static wchar_t * wcscpy(wchar_t *s1, const wchar_t *s2)
-{
-	wchar_t *dest = s1;
-	while ((*s1 = *s2) != L'\0')
-		++s1, ++s2;
-	return dest;
-}
-#endif
 #ifndef HAVE_WCSLEN
 static size_t wcslen(const wchar_t *s)
 {
@@ -1593,14 +1584,17 @@ ae_strtofflags(const char *s, unsigned l
 		while (*end != '\0'  &&  *end != '\t'  &&
 		    *end != ' '  &&  *end != ',')
 			end++;
+		size_t length = end - start;
 		for (flag = flags; flag->name != NULL; flag++) {
-			if (memcmp(start, flag->name, end - start) == 0) {
+			size_t flag_length = strlen(flag->name);
+			if (length == flag_length
+			    && memcmp(start, flag->name, length) == 0) {
 				/* Matched "noXXXX", so reverse the sense. */
 				clear |= flag->set;
 				set |= flag->clear;
 				break;
-			} else if (memcmp(start, flag->name + 2, end - start)
-			    == 0) {
+			} else if (length == flag_length - 2
+			    && memcmp(start, flag->name + 2, length) == 0) {
 				/* Matched "XXXX", so don't reverse. */
 				set |= flag->set;
 				clear |= flag->clear;
@@ -1657,14 +1651,17 @@ ae_wcstofflags(const wchar_t *s, unsigne
 		while (*end != L'\0'  &&  *end != L'\t'  &&
 		    *end != L' '  &&  *end != L',')
 			end++;
+		size_t length = end - start;
 		for (flag = flags; flag->wname != NULL; flag++) {
-			if (wmemcmp(start, flag->wname, end - start) == 0) {
+			size_t flag_length = wcslen(flag->wname);
+			if (length == flag_length
+			    && wmemcmp(start, flag->wname, length) == 0) {
 				/* Matched "noXXXX", so reverse the sense. */
 				clear |= flag->set;
 				set |= flag->clear;
 				break;
-			} else if (wmemcmp(start, flag->wname + 2, end - start)
-			    == 0) {
+			} else if (length == flag_length - 2
+			    && wmemcmp(start, flag->wname + 2, length) == 0) {
 				/* Matched "XXXX", so don't reverse. */
 				set |= flag->set;
 				clear |= flag->clear;
openSUSE Build Service is sponsored by
Places