From: Sanjay Rawat <sanjayr@ymail.com>
Date: Wed, 20 May 2026 16:09:40 +0000 (+0200)
Subject: cpio: Fix UAF in error path
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d53db9de36893b6b0f1ea293712dcf7481febfbd;p=thirdparty%2Flibarchive.git

cpio: Fix UAF in error path

Add entry only after its full initialization into list. Otherwise the
error handling of a failing strdup would have to unlink the entry again.

Fixes: 16ad9310733e ("cpio reader: Validate pathname in record_hardlink")

Resolves #3053.
---

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index aa7b6aa89..047682eb0 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -1122,11 +1122,6 @@ record_hardlink(struct archive_read *a,
 		return (ARCHIVE_FATAL);
 	}
 
-	if (cpio->links_head != NULL)
-		cpio->links_head->previous = le;
-	le->next = cpio->links_head;
-	le->previous = NULL;
-	cpio->links_head = le;
 	le->dev = dev;
 	le->ino = ino;
 	le->links = archive_entry_nlink(entry) - 1;
@@ -1138,5 +1133,11 @@ record_hardlink(struct archive_read *a,
 		return (ARCHIVE_FATAL);
 	}
 
+	if (cpio->links_head != NULL)
+		cpio->links_head->previous = le;
+	le->next = cpio->links_head;
+	le->previous = NULL;
+	cpio->links_head = le;
+
 	return (ARCHIVE_OK);
 }