archive_strncat_l(): allocate and do not convert if length == 0

This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set
aes_set = AES_SET_MBS with aes_mbs.s == NULL.

Resolves possible null-pointer dereference reported by OSS-Fuzz.

Reported-By:	OSS-Fuzz issue 286

diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 645570b21c07d81908c956414c30a6be6e1a1822..bbb1e4585180da911b6e3e2fa3c8ca4086f5c65d 100644 (file)
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
     struct archive_string_conv *sc)
 {
        const void *s;
-       size_t length;
+       size_t length = 0;
        int i, r = 0, r2;
 
+       if (_p != NULL && n > 0) {
+               if (sc != NULL && (sc->flag & SCONV_FROM_UTF16))
+                       length = utf16nbytes(_p, n);
+               else
+                       length = mbsnbytes(_p, n);
+       }
+
        /* We must allocate memory even if there is no data for conversion
         * or copy. This simulates archive_string_append behavior. */
-       if (_p == NULL || n == 0) {
+       if (length == 0) {
                int tn = 1;
                if (sc != NULL && (sc->flag & SCONV_TO_UTF16))
                        tn = 2;
@@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n,
         * If sc is NULL, we just make a copy.
         */
        if (sc == NULL) {
-               length = mbsnbytes(_p, n);
                if (archive_string_append(as, _p, length) == NULL)
                        return (-1);/* No memory */
                return (0);
        }
 
-       if (sc->flag & SCONV_FROM_UTF16)
-               length = utf16nbytes(_p, n);
-       else
-               length = mbsnbytes(_p, n);
        s = _p;
        i = 0;
        if (sc->nconverter > 1) {