f871b21c89
CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename. CVE-2016-8688: The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c. CVE-2016-8689: The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive. CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. CVE-2016-10349: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2017-5601: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. Add upstream patch fixing the following issue: CVE-2017-14166: libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
43 lines
1.1 KiB
Diff
43 lines
1.1 KiB
Diff
From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
|
|
From: Joerg Sonnenberger <joerg@bec.de>
|
|
Date: Tue, 5 Sep 2017 18:12:19 +0200
|
|
Subject: [PATCH] Do something sensible for empty strings to make fuzzers
|
|
happy.
|
|
|
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
---
|
|
Upstream status: commit fa7438a0ff
|
|
|
|
libarchive/archive_read_support_format_xar.c | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
|
|
index 7a22beb9d8e4..93eeacc5e6eb 100644
|
|
--- a/libarchive/archive_read_support_format_xar.c
|
|
+++ b/libarchive/archive_read_support_format_xar.c
|
|
@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
|
|
uint64_t l;
|
|
int digit;
|
|
|
|
+ if (char_cnt == 0)
|
|
+ return (0);
|
|
+
|
|
l = 0;
|
|
digit = *p - '0';
|
|
while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
|
|
@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
|
|
{
|
|
int64_t l;
|
|
int digit;
|
|
-
|
|
+
|
|
+ if (char_cnt == 0)
|
|
+ return (0);
|
|
+
|
|
l = 0;
|
|
while (char_cnt-- > 0) {
|
|
if (*p >= '0' && *p <= '7')
|
|
--
|
|
2.14.1
|
|
|