From 42a3408ac7df1e69bea9ea12b72e14f59f7400c0 Mon Sep 17 00:00:00 2001 From: Martin Matuska Date: Mon, 26 Dec 2016 22:23:24 +0100 Subject: [PATCH] archive_strncat_l(): allocate and do not convert if length == 0 This ensures e.g. that archive_mstring_copy_mbs_len_l() does not set aes_set = AES_SET_MBS with aes_mbs.s == NULL. Resolves possible null-pointer dereference reported by OSS-Fuzz. Reported-By: OSS-Fuzz issue 286 --- libarchive/archive_string.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c index 645570b21..bbb1e4585 100644 --- a/libarchive/archive_string.c +++ b/libarchive/archive_string.c @@ -1939,12 +1939,19 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n, struct archive_string_conv *sc) { const void *s; - size_t length; + size_t length = 0; int i, r = 0, r2; + if (_p != NULL && n > 0) { + if (sc != NULL && (sc->flag & SCONV_FROM_UTF16)) + length = utf16nbytes(_p, n); + else + length = mbsnbytes(_p, n); + } + /* We must allocate memory even if there is no data for conversion * or copy. This simulates archive_string_append behavior. */ - if (_p == NULL || n == 0) { + if (length == 0) { int tn = 1; if (sc != NULL && (sc->flag & SCONV_TO_UTF16)) tn = 2; @@ -1960,16 +1967,11 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n, * If sc is NULL, we just make a copy. */ if (sc == NULL) { - length = mbsnbytes(_p, n); if (archive_string_append(as, _p, length) == NULL) return (-1);/* No memory */ return (0); } - if (sc->flag & SCONV_FROM_UTF16) - length = utf16nbytes(_p, n); - else - length = mbsnbytes(_p, n); s = _p; i = 0; if (sc->nconverter > 1) { -- 2.47.2