diff options
Diffstat (limited to 'main/libarchive/CVE-2016-5844.patch')
-rw-r--r-- | main/libarchive/CVE-2016-5844.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/main/libarchive/CVE-2016-5844.patch b/main/libarchive/CVE-2016-5844.patch new file mode 100644 index 0000000000..ab7f649ef8 --- /dev/null +++ b/main/libarchive/CVE-2016-5844.patch @@ -0,0 +1,37 @@ +From 3ad08e01b4d253c66ae56414886089684155af22 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle <kientzle@acm.org> +Date: Sun, 19 Jun 2016 14:34:37 -0700 +Subject: [PATCH] Issue 717: Fix integer overflow when computing location of + volume descriptor + +The multiplication here defaulted to 'int' but calculations +of file positions should always use int64_t. A simple cast +suffices to fix this since the base location is always 32 bits +for ISO, so multiplying by the sector size will never overflow +a 64-bit integer. +--- + libarchive/archive_read_support_format_iso9660.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index 6934cee..f41ba38 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -1091,7 +1091,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + /* This condition is unlikely; by way of caution. */ + vd = &(iso9660->joliet); + +- skipsize = LOGICAL_BLOCK_SIZE * vd->location; ++ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; + skipsize = __archive_read_consume(a, skipsize); + if (skipsize < 0) + return ((int)skipsize); +@@ -1129,7 +1129,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) + && iso9660->seenJoliet) { + /* Switch reading data from primary to joliet. */ + vd = &(iso9660->joliet); +- skipsize = LOGICAL_BLOCK_SIZE * vd->location; ++ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; + skipsize -= iso9660->current_position; + skipsize = __archive_read_consume(a, skipsize); + if (skipsize < 0) |