From 2b8c3abeb37bb53710ffa574415b667b4077819e Mon Sep 17 00:00:00 2001 From: Brad King Date: Thu, 6 Feb 2020 14:28:02 -0500 Subject: [PATCH] Fix possible heap-buffer-overflow in archive_string_append_from_wcs on Windows Fix `archive_string_append_from_wcs_in_codepage` to account for the already-used portion of the buffer when computing the size of the remaining buffer for `WideCharToMultiByte` output. --- libarchive/archive_string.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c index 399299ea6..c77dcf52c 100644 --- a/libarchive/archive_string.c +++ b/libarchive/archive_string.c @@ -744,7 +744,8 @@ archive_string_append_from_wcs_in_codepage(struct archive_string *as, else dp = &defchar_used; count = WideCharToMultiByte(to_cp, 0, ws, wslen, - as->s + as->length, (int)as->buffer_length-1, NULL, dp); + as->s + as->length, + (int)as->buffer_length - as->length - 1, NULL, dp); if (count == 0 && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { /* Expand the MBS buffer and retry. */ -- 2.47.2