Przeglądaj źródła

libdpkg: Fix an off-by-one read access in ar member name variable

The problem here is that due to the previous loop the variable ‘i’ can
be -1 and thus the expression in the conditional reads invalid memory.

[guillem@debian.org:
 - Remove surrounding parenthesis. ]

Warned-by: afl
Signed-off-by: Guillem Jover <guillem@debian.org>
Stable-Candidate: 1.16.x 1.17.x
Hanno Böck 10 lat temu
rodzic
commit
c50e8dc2e9
2 zmienionych plików z 3 dodań i 1 usunięć
  1. 2 0
      debian/changelog
  2. 1 1
      lib/dpkg/ar.c

+ 2 - 0
debian/changelog

@@ -22,6 +22,8 @@ dpkg (1.18.4) UNRELEASED; urgency=medium
   * Fix an off-by-one write access in dpkg-deb when parsing the old format
     .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
     Fixes CVE-2015-0860.
+  * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
+    Thanks to Hanno Böck <hanno@hboeck.de>.
   * Test suite:
     - Improve perl code test coverage.
   * Build system:

+ 1 - 1
lib/dpkg/ar.c

@@ -57,7 +57,7 @@ dpkg_ar_normalize_name(struct ar_hdr *arh)
 		name[i] = '\0';
 
 	/* Remove optional slash terminator (on GNU-style archives). */
-	if (name[i] == '/')
+	if (i >= 0 && name[i] == '/')
 		name[i] = '\0';
 }