From: Martin Matuška <martin@matuska.de>
Date: Wed, 10 Sep 2025 08:22:58 +0000 (+0200)
Subject: Merge pull request #2710 from meecash/CVE-2025-25724-check_strftime_result
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=044dd7366824535679c597c67011500db6fae43f;p=thirdparty%2Flibarchive.git

Merge pull request #2710 from meecash/CVE-2025-25724-check_strftime_result

Fix CVE-2025-25724 by checking the result of the strftime

(cherry picked from commit 6bd863f61281aecf2e78737b08838d4a27cf1fcb)
---

diff --git a/tar/util.c b/tar/util.c
index c99f67797..5bad4345e 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -682,6 +682,7 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
 {
 	char			 tmp[100];
 	size_t			 w;
+	size_t			 sw;
 	const char		*p;
 	const char		*fmt;
 	time_t			 tim;
@@ -769,8 +770,8 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
 	ltime = localtime(&tim);
 #endif
 	if (ltime)
-		strftime(tmp, sizeof(tmp), fmt, ltime);
-	else
+		sw = strftime(tmp, sizeof(tmp), fmt, ltime);
+	if (!ltime || !sw)
 		sprintf(tmp, "-- -- ----");
 	fprintf(out, " %s ", tmp);
 	safe_fprintf(out, "%s", archive_entry_pathname(entry));