cpio: Fix UAF in error path

Add entry only after its full initialization into list. Otherwise the
error handling of a failing strdup would have to unlink the entry again.

Fixes: 16ad9310733e ("cpio reader: Validate pathname in record_hardlink")
Resolves #3053.

diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c
index aa7b6aa89e5c7959b01e223cafd864f409a099b7..047682eb0ca463841d7efbcd0625206f169551f6 100644 (file)
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -1122,11 +1122,6 @@ record_hardlink(struct archive_read *a,
                return (ARCHIVE_FATAL);
        }
 
-       if (cpio->links_head != NULL)
-               cpio->links_head->previous = le;
-       le->next = cpio->links_head;
-       le->previous = NULL;
-       cpio->links_head = le;
        le->dev = dev;
        le->ino = ino;
        le->links = archive_entry_nlink(entry) - 1;
@@ -1138,5 +1133,11 @@ record_hardlink(struct archive_read *a,
                return (ARCHIVE_FATAL);
        }
 
+       if (cpio->links_head != NULL)
+               cpio->links_head->previous = le;
+       le->next = cpio->links_head;
+       le->previous = NULL;
+       cpio->links_head = le;
+
        return (ARCHIVE_OK);
 }