zip writer: don't append unused NUL for directories

This can result in a heap overflow dependening on the buffer allocation.
Simplify the path length calculation and avoid binary operands.

Based on PR #1255 from Will Wagner

diff --git a/libarchive/archive_write_set_format_zip.c b/libarchive/archive_write_set_format_zip.c
index 7fcd1a07b3f5fab6a341859b304808b1e6520bf2..f28a8c3a341f33c14d2389a3371c01734d05d5d1 100644 (file)
--- a/libarchive/archive_write_set_format_zip.c
+++ b/libarchive/archive_write_set_format_zip.c
@@ -1402,18 +1402,17 @@ path_length(struct archive_entry *entry)
 {
        mode_t type;
        const char *path;
+       size_t len;
 
        type = archive_entry_filetype(entry);
        path = archive_entry_pathname(entry);
 
        if (path == NULL)
                return (0);
-       if (type == AE_IFDIR &&
-           (path[0] == '\0' || path[strlen(path) - 1] != '/')) {
-               return strlen(path) + 1;
-       } else {
-               return strlen(path);
-       }
+       len = strlen(path);
+       if (type == AE_IFDIR && (path[0] == '\0' || path[len - 1] != '/'))
+               ++len; /* Space for the trailing / */
+       return len;
 }
 
 static int
@@ -1461,10 +1460,8 @@ copy_path(struct archive_entry *entry, unsigned char *p)
        memcpy(p, path, pathlen);
 
        /* Folders are recognized by a trailing slash. */
-       if ((type == AE_IFDIR) & (path[pathlen - 1] != '/')) {
+       if ((type == AE_IFDIR) && (path[pathlen - 1] != '/'))
                p[pathlen] = '/';
-               p[pathlen + 1] = '\0';
-       }
 }