Closed
Description
The software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.
The vulnerability is here:
f = calloc(1, sizeof(*f));
f->archive = _a;
f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
In this file:
libarchive/archive_write.c
/*
* Allocate and return the next filter structure.
*/
struct archive_write_filter *
__archive_write_allocate_filter(struct archive *_a)
{
struct archive_write *a = (struct archive_write *)_a;
struct archive_write_filter *f;
f = calloc(1, sizeof(*f));
f->archive = _a;
f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
if (a->filter_first == NULL)
a->filter_first = f;
else
a->filter_last->next_filter = f;
a->filter_last = f;
return f;
}
Metadata
Metadata
Assignees
Labels
No labels