From: Brad King <brad.king@kitware.com>
Date: Thu, 6 Feb 2020 19:28:02 +0000 (-0500)
Subject: Fix possible heap-buffer-overflow in archive_string_append_from_wcs on Windows
X-Git-Tag: v3.4.2~9^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1329%2Fhead;p=thirdparty%2Flibarchive.git

Fix possible heap-buffer-overflow in archive_string_append_from_wcs on Windows

Fix `archive_string_append_from_wcs_in_codepage` to account for the
already-used portion of the buffer when computing the size of the
remaining buffer for `WideCharToMultiByte` output.
---

diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
index 399299ea6..c77dcf52c 100644
--- a/libarchive/archive_string.c
+++ b/libarchive/archive_string.c
@@ -744,7 +744,8 @@ archive_string_append_from_wcs_in_codepage(struct archive_string *as,
 			else
 				dp = &defchar_used;
 			count = WideCharToMultiByte(to_cp, 0, ws, wslen,
-			    as->s + as->length, (int)as->buffer_length-1, NULL, dp);
+			    as->s + as->length,
+			    (int)as->buffer_length - as->length - 1, NULL, dp);
 			if (count == 0 &&
 			    GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
 				/* Expand the MBS buffer and retry. */