diff options
author | Tim Kientzle <kientzle@gmail.com> | 2009-11-29 18:09:46 -0500 |
---|---|---|
committer | Tim Kientzle <kientzle@gmail.com> | 2009-11-29 18:09:46 -0500 |
commit | 1a87077bc90de89f3ee31c53f70d46e800ab6db3 (patch) | |
tree | 7fd4ab285b7f59e4163f41dfc81cd66b0c0db57c /libarchive/archive_read_support_format_cpio.c | |
parent | faed5b81c58a78ab359ae32be5504184f25a8590 (diff) | |
download | libarchive-1a87077bc90de89f3ee31c53f70d46e800ab6db3.tar.gz |
The fuzz tester uncovered an infinite loop in the recovery code that
searches forward for the next undamaged cpio header. This occurred
when the number of bytes returned by the next read operation happened
to be exactly the size of a cpio header. In this case, an off-by-one
error caused this code to decide that it didn't have enough bytes to
examine and then to loop around and ask for the exact same bytes again.
SVN-Revision: 1686
Diffstat (limited to 'libarchive/archive_read_support_format_cpio.c')
-rw-r--r-- | libarchive/archive_read_support_format_cpio.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c index 3c96ecfc..2cb719b3 100644 --- a/libarchive/archive_read_support_format_cpio.c +++ b/libarchive/archive_read_support_format_cpio.c @@ -356,7 +356,7 @@ find_newc_header(struct archive_read *a) * Scan ahead until we find something that looks * like an odc header. */ - while (p + sizeof(struct cpio_newc_header) < q) { + while (p + sizeof(struct cpio_newc_header) <= q) { switch (p[5]) { case '1': case '2': @@ -490,7 +490,7 @@ find_odc_header(struct archive_read *a) * Scan ahead until we find something that looks * like an odc header. */ - while (p + sizeof(struct cpio_odc_header) < q) { + while (p + sizeof(struct cpio_odc_header) <= q) { switch (p[5]) { case '7': if (memcmp("070707", p, 6) == 0 |