Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a possible heap-buffer-overflow in archive_string_append_from_wcs()
When we grow the archive_string buffer, we have to make sure it fits
at least one maximum-sized multibyte character in the current locale
and the null character.

Fixes #1298
  • Loading branch information
mmatuska committed Dec 28, 2019
1 parent fbd0e40 commit 4f085ee
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions libarchive/archive_string.c
Expand Up @@ -75,6 +75,9 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_string.c 201095 2009-12-28 02:33
#define wmemmove(a,b,i) (wchar_t *)memmove((a), (b), (i) * sizeof(wchar_t))
#endif

#undef max
#define max(a, b) ((a)>(b)?(a):(b))

struct archive_string_conv {
struct archive_string_conv *next;
char *from_charset;
Expand Down Expand Up @@ -804,7 +807,8 @@ archive_string_append_from_wcs(struct archive_string *as,
as->s[as->length] = '\0';
/* Re-allocate buffer for MBS. */
if (archive_string_ensure(as,
as->length + len * 2 + 1) == NULL)
as->length + max(len * 2,
(size_t)MB_CUR_MAX) + 1) == NULL)
return (-1);
p = as->s + as->length;
end = as->s + as->buffer_length - MB_CUR_MAX -1;
Expand Down Expand Up @@ -3446,7 +3450,8 @@ strncat_from_utf8_libarchive2(struct archive_string *as,
as->length = p - as->s;
/* Re-allocate buffer for MBS. */
if (archive_string_ensure(as,
as->length + len * 2 + 1) == NULL)
as->length + max(len * 2,
(size_t)MB_CUR_MAX) + 1) == NULL)
return (-1);
p = as->s + as->length;
end = as->s + as->buffer_length - MB_CUR_MAX -1;
Expand Down

0 comments on commit 4f085ee

Please sign in to comment.