From: Denys Vlasenko Date: Tue, 6 Feb 2018 16:39:45 +0000 (+0100) Subject: ar: hopefully fix out-of-bounds read in get_header_ar() X-Git-Tag: 1_29_0~263 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0a90960f446ebaf062244afbc626546b14689e0a;p=oweals%2Fbusybox.git ar: hopefully fix out-of-bounds read in get_header_ar() https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175 Signed-off-by: Denys Vlasenko --- diff --git a/archival/libarchive/get_header_ar.c b/archival/libarchive/get_header_ar.c index 1809ec396..93e071c9f 100644 --- a/archival/libarchive/get_header_ar.c +++ b/archival/libarchive/get_header_ar.c @@ -83,7 +83,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle) */ ar_long_name_size = size; free(ar_long_names); - ar_long_names = xmalloc(size); + ar_long_names = xzalloc(size + 1); xread(archive_handle->src_fd, ar_long_names, size); archive_handle->offset += size; /* Return next header */ @@ -107,7 +107,7 @@ char FAST_FUNC get_header_ar(archive_handle_t *archive_handle) unsigned long_offset; /* The number after the '/' indicates the offset in the ar data section - * (saved in ar_long_names) that conatains the real filename */ + * (saved in ar_long_names) that contains the real filename */ long_offset = read_num(&ar.formatted.name[1], 10, sizeof(ar.formatted.name) - 1); if (long_offset >= ar_long_name_size) {