Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/bsd/libarchive/dist/libarchive Fix undefined behavi...



details:   https://anonhg.NetBSD.org/src/rev/9b5cb6ed2abb
branches:  trunk
changeset: 969679:9b5cb6ed2abb
user:      kamil <kamil%NetBSD.org@localhost>
date:      Thu Feb 27 10:35:08 2020 +0000

description:
Fix undefined behavior in archive_read_support_format_xar()

Cherry-pick upstream patch:

>From 2cfda000bc5159d46fd8ead7d1bd3ea1f66f7948 Mon Sep 17 00:00:00 2001
From: Martin Matuska <martin%matuska.org@localhost>
Date: Thu, 27 Feb 2020 01:54:19 +0100
Subject: [PATCH] XAR reader: initialize file_queue with 0 and memcpy() if
 allocated only

Fixes #1338

diffstat:

 external/bsd/libarchive/dist/libarchive/archive_read_support_format_xar.c |  17 +++++++--
 1 files changed, 13 insertions(+), 4 deletions(-)

diffs (44 lines):

diff -r fa586f6680c4 -r 9b5cb6ed2abb external/bsd/libarchive/dist/libarchive/archive_read_support_format_xar.c
--- a/external/bsd/libarchive/dist/libarchive/archive_read_support_format_xar.c Thu Feb 27 10:32:35 2020 +0000
+++ b/external/bsd/libarchive/dist/libarchive/archive_read_support_format_xar.c Thu Feb 27 10:35:08 2020 +0000
@@ -458,6 +458,11 @@
                return (ARCHIVE_FATAL);
        }
 
+       /* initialize xar->file_queue */
+       xar->file_queue.allocated = 0;
+       xar->file_queue.used = 0;
+       xar->file_queue.files = NULL;
+
        r = __archive_read_register_format(a,
            xar,
            "xar",
@@ -1221,10 +1226,12 @@
        /* Expand our pending files list as necessary. */
        if (heap->used >= heap->allocated) {
                struct xar_file **new_pending_files;
-               int new_size = heap->allocated * 2;
+               int new_size;
 
                if (heap->allocated < 1024)
                        new_size = 1024;
+               else
+                       new_size = heap->allocated * 2;
                /* Overflow might keep us from growing the list. */
                if (new_size <= heap->allocated) {
                        archive_set_error(&a->archive,
@@ -1238,9 +1245,11 @@
                            ENOMEM, "Out of memory");
                        return (ARCHIVE_FATAL);
                }
-               memcpy(new_pending_files, heap->files,
-                   heap->allocated * sizeof(new_pending_files[0]));
-               free(heap->files);
+               if (heap->allocated) {
+                       memcpy(new_pending_files, heap->files,
+                           heap->allocated * sizeof(new_pending_files[0]));
+                       free(heap->files);
+               }
                heap->files = new_pending_files;
                heap->allocated = new_size;
        }



Home | Main Index | Thread Index | Old Index