From: Martin Matuska <martin@matuska.org>
Date: Wed, 25 Jan 2017 22:14:59 +0000 (+0100)
Subject: Avoid endless loop when parsing MSZIP signature in cab archives
X-Git-Tag: v3.3.0~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=937c6caffc165277cd1101cf57f312984014df81;p=thirdparty%2Flibarchive.git

Avoid endless loop when parsing MSZIP signature in cab archives

Reported-By:	OSS-Fuzz issue 335
---

diff --git a/libarchive/archive_read_support_format_cab.c b/libarchive/archive_read_support_format_cab.c
index 2bdc1e285..e2f8c6b70 100644
--- a/libarchive/archive_read_support_format_cab.c
+++ b/libarchive/archive_read_support_format_cab.c
@@ -1495,6 +1495,8 @@ cab_read_ahead_cfdata_deflate(struct archive_read *a, ssize_t *avail)
 
 		/* Cut out a tow-byte MSZIP signature(0x43, 0x4b). */
 		if (mszip > 0) {
+			if (bytes_avail <= 0)
+				goto nomszip;
 			if (bytes_avail <= mszip) {
 				if (mszip == 2) {
 					if (cab->stream.next_in[0] != 0x43)