mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-26 22:38:07 -05:00
45 lines
1.8 KiB
Diff
45 lines
1.8 KiB
Diff
|
Fixes this buffer overflow:
|
||
|
https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
|
||
|
|
||
|
Patch copied from upstream source repository:
|
||
|
https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
|
||
|
|
||
|
From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
|
||
|
From: Tim Kientzle <kientzle@acm.org>
|
||
|
Date: Sun, 21 Aug 2016 10:51:43 -0700
|
||
|
Subject: [PATCH] Issue #767: Buffer overflow printing a filename
|
||
|
|
||
|
The safe_fprintf function attempts to ensure clean output for an
|
||
|
arbitrary sequence of bytes by doing a trial conversion of the
|
||
|
multibyte characters to wide characters -- if the resulting wide
|
||
|
character is printable then we pass through the corresponding bytes
|
||
|
unaltered, otherwise, we convert them to C-style ASCII escapes.
|
||
|
|
||
|
The stack trace in Issue #767 suggest that the 20-byte buffer
|
||
|
was getting overflowed trying to format a non-printable multibyte
|
||
|
character. This should only happen if there is a valid multibyte
|
||
|
character of more than 5 bytes that was unprintable. (Each byte
|
||
|
would get expanded to a four-charcter octal-style escape of the form
|
||
|
"\123" resulting in >20 characters for the >5 byte multibyte character.)
|
||
|
|
||
|
I've not been able to reproduce this, but have expanded the conversion
|
||
|
buffer to 128 bytes on the belief that no multibyte character set
|
||
|
has a single character of more than 32 bytes.
|
||
|
---
|
||
|
tar/util.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/tar/util.c b/tar/util.c
|
||
|
index 9ff22f2..2b4aebe 100644
|
||
|
--- a/tar/util.c
|
||
|
+++ b/tar/util.c
|
||
|
@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
|
||
|
}
|
||
|
|
||
|
/* If our output buffer is full, dump it and keep going. */
|
||
|
- if (i > (sizeof(outbuff) - 20)) {
|
||
|
+ if (i > (sizeof(outbuff) - 128)) {
|
||
|
outbuff[i] = '\0';
|
||
|
fprintf(f, "%s", outbuff);
|
||
|
i = 0;
|