Fix possible heap-buffer-overflow in archive_string_append_from_wcs on Windows

Fix `archive_string_append_from_wcs_in_codepage` to account for the
already-used portion of the buffer when computing the size of the
remaining buffer for `WideCharToMultiByte` output.

diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 399299ea631fb8725c92289127c6a6933a2e7e7c..c77dcf52c25f050b2d56bb59c9d4697d03736d8c 100644 (file)
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -744,7 +744,8 @@ archive_string_append_from_wcs_in_codepage(struct archive_string *as,
                        else
                                dp = &defchar_used;
                        count = WideCharToMultiByte(to_cp, 0, ws, wslen,
-                           as->s + as->length, (int)as->buffer_length-1, NULL, dp);
+                           as->s + as->length,
+                           (int)as->buffer_length - as->length - 1, NULL, dp);
                        if (count == 0 &&
                            GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
                                /* Expand the MBS buffer and retry. */