From 1a87077bc90de89f3ee31c53f70d46e800ab6db3 Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@gmail.com>
Date: Sun, 29 Nov 2009 18:09:46 -0500
Subject: [PATCH] The fuzz tester uncovered an infinite loop in the recovery
 code that searches forward for the next undamaged cpio header.  This occurred
 when the number of bytes returned by the next read operation happened to be
 exactly the size of a cpio header.  In this case, an off-by-one error caused
 this code to decide that it didn't have enough bytes to examine and then to
 loop around and ask for the exact same bytes again.

SVN-Revision: 1686
---
 libarchive/archive_read_support_format_cpio.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index 3c96ecfce..2cb719b3e 100644
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -356,7 +356,7 @@ find_newc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_newc_header) < q) {
+		while (p + sizeof(struct cpio_newc_header) <= q) {
 			switch (p[5]) {
 			case '1':
 			case '2':
@@ -490,7 +490,7 @@ find_odc_header(struct archive_read *a)
 		 * Scan ahead until we find something that looks
 		 * like an odc header.
 		 */
-		while (p + sizeof(struct cpio_odc_header) < q) {
+		while (p + sizeof(struct cpio_odc_header) <= q) {
 			switch (p[5]) {
 			case '7':
 				if (memcmp("070707", p, 6) == 0
-- 
2.47.3