iso9660: Fix OOB in Joliet ID generation

Allocate enough memory for possible addition of 3 characters within the
range of 0-Z. Since UTF-16 is in use, allocate 6 bytes + 2 bytes for the
terminating NUL character.

Also keep in mind that "l" is already size in bytes, which means that a
multiplication of 2 is not needed (and prevented overflow issues with
longer filenames).

Resolves #2935.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c
index 576b3ba52b0c7506b3e5bdc453dded1a5ff18fee..4a17a49fd4df4667599ddb6240c0ceea2f6ff82a 100644 (file)
--- a/libarchive/archive_write_set_format_iso9660.c
+++ b/libarchive/archive_write_set_format_iso9660.c
@@ -6261,6 +6261,8 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
        static const struct archive_rb_tree_ops rb_ops = {
                isoent_cmp_node_joliet, isoent_cmp_key_joliet
        };
+       const int num_size = 6;
+       const int null_size = 2;
 
        if (isoent->children.cnt == 0)
                return (0);
@@ -6271,7 +6273,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
        else
                ffmax = 128;
 
-       r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, 6, 2, &rb_ops);
+       r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, num_size, null_size, &rb_ops);
        if (r < 0)
                return (r);
 
@@ -6287,7 +6289,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent,
                if ((l = np->file->basename_utf16.length) > ffmax)
                        l = ffmax;
 
-               p = malloc((l+1)*2);
+               p = malloc(l + num_size + null_size);
                if (p == NULL) {
                        archive_set_error(&a->archive, ENOMEM,
                            "Can't allocate memory");