Skip 0-length ACL fields

Currently, it is possible to create an archive that crashes bsdtar with a malformed ACL: Program received signal SIGSEGV, Segmentation fault. archive_acl_from_text_l (acl=<optimised out>, text=0x7e2e92 "", want_type=<optimised out>, sc=<optimised out>) at libarchive/archive_acl.c:1726 1726 switch (*s) { (gdb) p n $1 = 1 (gdb) p field[n] $2 = {start = 0x0, end = 0x0} Stop this by checking that the length is not zero before beginning the switch statement. I am pretty sure this is the bug mentioned in the qsym paper [1], and I was able to replicate it with a qsym + AFL + afl-rb setup. [1] https://www.usenix.org/conference/usenixsecurity18/presentation/yun
libarchive · Dec 11, 2018 · 15bf44f · 15bf44f
1 parent bfcfe6f
commit 15bf44f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
@@ -1723,6 +1723,11 @@ archive_acl_from_text_l(struct archive_acl *acl, const char *text,
 			st = field[n].start + 1;
 			len = field[n].end - field[n].start;
 
+			if (len == 0) {
+				ret = ARCHIVE_WARN;
+				continue;
+			}
+
 			switch (*s) {
 			case 'u':
 				if (len == 1 || (len == 4