File CVE-2016-10209.patch of Package libarchive.9133

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-10209.patch of Package libarchive.9133

commit 42a3408ac7df1e69bea9ea12b72e14f59f7400c0
Author: Martin Matuska <martin@matuska.org>
Date:   Mon Dec 26 22:23:24 2016 +0100

archive_strncat_l(): allocate and do not convert if length == 0
    
    This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set
    aes_set = AES_SET_MBS with aes_mbs.s == NULL.
    
    Resolves possible null-pointer dereference reported by OSS-Fuzz.
    
    Reported-By:    OSS-Fuzz issue 286

diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 645570b2..bbb1e458 100644
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
     struct archive_string_conv *sc)
 {
 	const void *s;
-	size_t length;
+	size_t length = 0;
 	int i, r = 0, r2;
 
+	if (_p != NULL && n > 0) {
+		if (sc != NULL && (sc->flag & SCONV_FROM_UTF16))
+			length = utf16nbytes(_p, n);
+		else
+			length = mbsnbytes(_p, n);
+	}
+
 	/* We must allocate memory even if there is no data for conversion
 	 * or copy. This simulates archive_string_append behavior. */
-	if (_p == NULL || n == 0) {
+	if (length == 0) {
 		int tn = 1;
 		if (sc != NULL && (sc->flag & SCONV_TO_UTF16))
 			tn = 2;
@@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
 	 * If sc is NULL, we just make a copy.
 	 */
 	if (sc == NULL) {
-		length = mbsnbytes(_p, n);
 		if (archive_string_append(as, _p, length) == NULL)
 			return (-1);/* No memory */
 		return (0);
 	}
 
-	if (sc->flag & SCONV_FROM_UTF16)
-		length = utf16nbytes(_p, n);
-	else
-		length = mbsnbytes(_p, n);
 	s = _p;
 	i = 0;
 	if (sc->nconverter > 1) {

Places

File CVE-2016-10209.patch of Package libarchive.9133

Places