diff options
| author | Tim Kientzle <kientzle@acm.org> | 2016-08-21 10:51:43 -0700 |
|---|---|---|
| committer | Tim Kientzle <kientzle@acm.org> | 2016-08-21 10:57:20 -0700 |
| commit | e37b620fe8f14535d737e89a4dcabaed4517bf1a (patch) | |
| tree | a646d0875d64e41fcc7c169b04b36854c4c1adf7 /tar/util.c | |
| parent | 36bb164e221a3a76488f2ceaf808db14de6f8ca4 (diff) | |
| download | libarchive-e37b620fe8f14535d737e89a4dcabaed4517bf1a.tar.gz | |
Issue #767: Buffer overflow printing a filename
The safe_fprintf function attempts to ensure clean output for an
arbitrary sequence of bytes by doing a trial conversion of the
multibyte characters to wide characters -- if the resulting wide
character is printable then we pass through the corresponding bytes
unaltered, otherwise, we convert them to C-style ASCII escapes.
The stack trace in Issue #767 suggest that the 20-byte buffer
was getting overflowed trying to format a non-printable multibyte
character. This should only happen if there is a valid multibyte
character of more than 5 bytes that was unprintable. (Each byte
would get expanded to a four-charcter octal-style escape of the form
"\123" resulting in >20 characters for the >5 byte multibyte character.)
I've not been able to reproduce this, but have expanded the conversion
buffer to 128 bytes on the belief that no multibyte character set
has a single character of more than 32 bytes.
Diffstat (limited to 'tar/util.c')
| -rw-r--r-- | tar/util.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...) } /* If our output buffer is full, dump it and keep going. */ - if (i > (sizeof(outbuff) - 20)) { + if (i > (sizeof(outbuff) - 128)) { outbuff[i] = '\0'; fprintf(f, "%s", outbuff); i = 0; |