From: Tobias Stoeckmann Date: Tue, 21 Apr 2026 16:46:28 +0000 (+0200) Subject: iso9660: Fix OOB in Joliet ID generation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9d2cc5e07013d1af794e41ddbfac79da906d5f9;p=thirdparty%2Flibarchive.git iso9660: Fix OOB in Joliet ID generation Allocate enough memory for possible addition of 3 characters within the range of 0-Z. Since UTF-16 is in use, allocate 6 bytes + 2 bytes for the terminating NUL character. Also keep in mind that "l" is already size in bytes, which means that a multiplication of 2 is not needed (and prevented overflow issues with longer filenames). Resolves #2935. Signed-off-by: Tobias Stoeckmann --- diff --git a/libarchive/archive_write_set_format_iso9660.c b/libarchive/archive_write_set_format_iso9660.c index 576b3ba52..4a17a49fd 100644 --- a/libarchive/archive_write_set_format_iso9660.c +++ b/libarchive/archive_write_set_format_iso9660.c @@ -6261,6 +6261,8 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, static const struct archive_rb_tree_ops rb_ops = { isoent_cmp_node_joliet, isoent_cmp_key_joliet }; + const int num_size = 6; + const int null_size = 2; if (isoent->children.cnt == 0) return (0); @@ -6271,7 +6273,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, else ffmax = 128; - r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, 6, 2, &rb_ops); + r = idr_start(a, idr, isoent->children.cnt, (int)ffmax, num_size, null_size, &rb_ops); if (r < 0) return (r); @@ -6287,7 +6289,7 @@ isoent_gen_joliet_identifier(struct archive_write *a, struct isoent *isoent, if ((l = np->file->basename_utf16.length) > ffmax) l = ffmax; - p = malloc((l+1)*2); + p = malloc(l + num_size + null_size); if (p == NULL) { archive_set_error(&a->archive, ENOMEM, "Can't allocate memory");