The fuzz tester uncovered an infinite loop in the recovery code that

searches forward for the next undamaged cpio header.  This occurred
when the number of bytes returned by the next read operation happened
to be exactly the size of a cpio header.  In this case, an off-by-one
error caused this code to decide that it didn't have enough bytes to
examine and then to loop around and ask for the exact same bytes again.

SVN-Revision: 1686

1 files changed, 2 insertions, 2 deletions

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index 3c96ecfc..2cb719b3 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -356,7 +356,7 @@ find_newc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_newc_header) < q) {
+		while (p + sizeof(struct cpio_newc_header) <= q) {
 			switch (p[5]) {
 			case '1':
 			case '2':
@@ -490,7 +490,7 @@ find_odc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_odc_header) < q) {
+		while (p + sizeof(struct cpio_odc_header) <= q) {
 			switch (p[5]) {
 			case '7':
 				if (memcmp("070707", p, 6) == 0