From: Tim Kientzle <kientzle@gmail.com>
Date: Sun, 29 Nov 2009 23:09:46 +0000 (-0500)
Subject: The fuzz tester uncovered an infinite loop in the recovery code that
X-Git-Tag: v2.8.0~130
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a87077bc90de89f3ee31c53f70d46e800ab6db3;p=thirdparty%2Flibarchive.git

The fuzz tester uncovered an infinite loop in the recovery code that
searches forward for the next undamaged cpio header.  This occurred
when the number of bytes returned by the next read operation happened
to be exactly the size of a cpio header.  In this case, an off-by-one
error caused this code to decide that it didn't have enough bytes to
examine and then to loop around and ask for the exact same bytes again.

SVN-Revision: 1686
---

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index 3c96ecfce..2cb719b3e 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -356,7 +356,7 @@ find_newc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_newc_header) < q) {
+		while (p + sizeof(struct cpio_newc_header) <= q) {
 			switch (p[5]) {
 			case '1':
 			case '2':
@@ -490,7 +490,7 @@ find_odc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_odc_header) < q) {
+		while (p + sizeof(struct cpio_odc_header) <= q) {
 			switch (p[5]) {
 			case '7':
 				if (memcmp("070707", p, 6) == 0