Fix a possible heap-buffer-overflow in archive_string_append_from_wcs()

When we grow the archive_string buffer, we have to make sure it fits
at least one maximum-sized multibyte character in the current locale
and the null character.

Fixes #1298

diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index bd39c96f10700574d93ccd6c50763d9df97c87f1..399299ea631fb8725c92289127c6a6933a2e7e7c 100644 (file)
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -75,6 +75,9 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_string.c 201095 2009-12-28 02:33
 #define wmemmove(a,b,i)  (wchar_t *)memmove((a), (b), (i) * sizeof(wchar_t))
 #endif
 
+#undef max
+#define max(a, b)       ((a)>(b)?(a):(b))
+
 struct archive_string_conv {
        struct archive_string_conv      *next;
        char                            *from_charset;
@@ -804,7 +807,8 @@ archive_string_append_from_wcs(struct archive_string *as,
                        as->s[as->length] = '\0';
                        /* Re-allocate buffer for MBS. */
                        if (archive_string_ensure(as,
-                           as->length + len * 2 + 1) == NULL)
+                           as->length + max(len * 2,
+                           (size_t)MB_CUR_MAX) + 1) == NULL)
                                return (-1);
                        p = as->s + as->length;
                        end = as->s + as->buffer_length - MB_CUR_MAX -1;
@@ -3446,7 +3450,8 @@ strncat_from_utf8_libarchive2(struct archive_string *as,
                        as->length = p - as->s;
                        /* Re-allocate buffer for MBS. */
                        if (archive_string_ensure(as,
-                           as->length + len * 2 + 1) == NULL)
+                           as->length + max(len * 2,
+                           (size_t)MB_CUR_MAX) + 1) == NULL)
                                return (-1);
                        p = as->s + as->length;
                        end = as->s + as->buffer_length - MB_CUR_MAX -1;