File CVE-2016-8687.patch of Package libarchive

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-8687.patch of Package libarchive

commit e37b620fe8f14535d737e89a4dcabaed4517bf1a
Author: Tim Kientzle <kientzle@acm.org>
Date:   Sun Aug 21 10:51:43 2016 -0700

Issue #767:  Buffer overflow printing a filename
    
    The safe_fprintf function attempts to ensure clean output for an
    arbitrary sequence of bytes by doing a trial conversion of the
    multibyte characters to wide characters -- if the resulting wide
    character is printable then we pass through the corresponding bytes
    unaltered, otherwise, we convert them to C-style ASCII escapes.
    
    The stack trace in Issue #767 suggest that the 20-byte buffer
    was getting overflowed trying to format a non-printable multibyte
    character.  This should only happen if there is a valid multibyte
    character of more than 5 bytes that was unprintable.  (Each byte
    would get expanded to a four-charcter octal-style escape of the form
    "\123" resulting in >20 characters for the >5 byte multibyte character.)
    
    I've not been able to reproduce this, but have expanded the conversion
    buffer to 128 bytes on the belief that no multibyte character set
    has a single character of more than 32 bytes.

Index: libarchive-3.1.2/tar/util.c
===================================================================
--- libarchive-3.1.2.orig/tar/util.c
+++ libarchive-3.1.2/tar/util.c
@@ -181,7 +181,7 @@ safe_fprintf(FILE *f, const char *fmt, .
 		}
 
 		/* If our output buffer is full, dump it and keep going. */
-		if (i > (sizeof(outbuff) - 20)) {
+		if (i > (sizeof(outbuff) - 128)) {
 			outbuff[i] = '\0';
 			fprintf(f, "%s", outbuff);
 			i = 0;

Places

File CVE-2016-8687.patch of Package libarchive

Places