The fuzz tester uncovered an infinite loop in the recovery code that

searches forward for the next undamaged cpio header.  This occurred
when the number of bytes returned by the next read operation happened
to be exactly the size of a cpio header.  In this case, an off-by-one
error caused this code to decide that it didn't have enough bytes to
examine and then to loop around and ask for the exact same bytes again.

SVN-Revision: 1686

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index 3c96ecfce1349bcd07700ecda2c869741653bdf2..2cb719b3ec183d16623094d127cad54c751ecac1 100644 (file)
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -356,7 +356,7 @@ find_newc_header(struct archive_read *a)
                 * Scan ahead until we find something that looks
                 * like an odc header.
                 */
-               while (p + sizeof(struct cpio_newc_header) < q) {
+               while (p + sizeof(struct cpio_newc_header) <= q) {
                        switch (p[5]) {
                        case '1':
                        case '2':
@@ -490,7 +490,7 @@ find_odc_header(struct archive_read *a)
                 * Scan ahead until we find something that looks
                 * like an odc header.
                 */
-               while (p + sizeof(struct cpio_odc_header) < q) {
+               while (p + sizeof(struct cpio_odc_header) <= q) {
                        switch (p[5]) {
                        case '7':
                                if (memcmp("070707", p, 6) == 0