From: Joerg Sonnenberger <joerg@bec.de>
Date: Wed, 2 Oct 2019 10:21:20 +0000 (+0200)
Subject: zip writer: don't append unused NUL for directories
X-Git-Tag: v3.4.1~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fad95df78681894f8e54a7867e738572f413dd30;p=thirdparty%2Flibarchive.git

zip writer: don't append unused NUL for directories

This can result in a heap overflow dependening on the buffer allocation.
Simplify the path length calculation and avoid binary operands.

Based on PR #1255 from Will Wagner
---

diff --git a/libarchive/archive_write_set_format_zip.c b/libarchive/archive_write_set_format_zip.c
index 7fcd1a07b..f28a8c3a3 100644
--- a/libarchive/archive_write_set_format_zip.c
+++ b/libarchive/archive_write_set_format_zip.c
@@ -1402,18 +1402,17 @@ path_length(struct archive_entry *entry)
 {
 	mode_t type;
 	const char *path;
+	size_t len;
 
 	type = archive_entry_filetype(entry);
 	path = archive_entry_pathname(entry);
 
 	if (path == NULL)
 		return (0);
-	if (type == AE_IFDIR &&
-	    (path[0] == '\0' || path[strlen(path) - 1] != '/')) {
-		return strlen(path) + 1;
-	} else {
-		return strlen(path);
-	}
+	len = strlen(path);
+	if (type == AE_IFDIR && (path[0] == '\0' || path[len - 1] != '/'))
+		++len; /* Space for the trailing / */
+	return len;
 }
 
 static int
@@ -1461,10 +1460,8 @@ copy_path(struct archive_entry *entry, unsigned char *p)
 	memcpy(p, path, pathlen);
 
 	/* Folders are recognized by a trailing slash. */
-	if ((type == AE_IFDIR) & (path[pathlen - 1] != '/')) {
+	if ((type == AE_IFDIR) && (path[pathlen - 1] != '/'))
 		p[pathlen] = '/';
-		p[pathlen + 1] = '\0';
-	}
 }