diff options
| author | Joerg Sonnenberger <joerg@bec.de> | 2016-12-02 12:00:28 +0100 |
|---|---|---|
| committer | Joerg Sonnenberger <joerg@bec.de> | 2016-12-02 12:00:28 +0100 |
| commit | 4fab664f66ea507225587417a3d896440436d894 (patch) | |
| tree | 5c4643ba0116b287d2e184a49d92ee9bd481f974 /libarchive/archive_read_support_filter_uu.c | |
| parent | 53d73345410d69e68171f05facaf4523e38e72bb (diff) | |
| download | libarchive-4fab664f66ea507225587417a3d896440436d894.tar.gz | |
Dramatically simplify loop and avoid a read-beyond-buffer issue.
Triggered by OSS-fuzz reports.
Diffstat (limited to 'libarchive/archive_read_support_filter_uu.c')
| -rw-r--r-- | libarchive/archive_read_support_filter_uu.c | 30 |
1 files changed, 7 insertions, 23 deletions
diff --git a/libarchive/archive_read_support_filter_uu.c b/libarchive/archive_read_support_filter_uu.c index f0fc1487..335d15d5 100644 --- a/libarchive/archive_read_support_filter_uu.c +++ b/libarchive/archive_read_support_filter_uu.c @@ -320,30 +320,14 @@ uudecode_bidder_bid(struct archive_read_filter_bidder *self, if (l > 45) /* Normally, maximum length is 45(character 'M'). */ return (0); - while (l && len-nl > 0) { - if (l > 0) { - if (!uuchar[*b++]) - return (0); - if (!uuchar[*b++]) - return (0); - len -= 2; - --l; - } - if (l > 0) { - if (!uuchar[*b++]) - return (0); - --len; - --l; - } - if (l > 0) { - if (!uuchar[*b++]) - return (0); - --len; - --l; - } + if (l > len - nl) + return (0); /* Line too short. */ + while (l) { + if (!uuchar[*b++]) + return (0); + --len; + --l; } - if (len-nl < 0) - return (0); if (len-nl == 1 && (uuchar[*b] || /* Check sum. */ (*b >= 'a' && *b <= 'z'))) {/* Padding data(MINIX). */ |