[Reproducible-commits] [dpkg] 11/25: libdpkg: Swap deb name and member name in dpkg_ar_member_get_size()

[Holger Levsen]

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag 1.16.16
in repository dpkg.

commit 2ddedea45a1e6ae2deb6e0d52aabcf2007430dfe
Author: Guillem Jover <guillem at debian.org>
Date:   Sun May 11 08:11:22 2014 +0200

    libdpkg: Swap deb name and member name in dpkg_ar_member_get_size()
    
    Cherry picked from commit 9274fe071004f02dcd64eba5f40b342e40bc2fd1.
    
    Otherwise we might perform an out of bounds buffer read access in the
    error output on bogus member sizes.
---
 debian/changelog | 2 ++
 lib/dpkg/ar.c    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 085b498..211fff4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low
   * Do not leak color string on «dselect --color».
   * Fix memory leaks when parsing alternatives.
   * Fix memory leaks in buffer_copy() on error conditions.
+  * Fix possible out of bounds buffer read access in the error output on
+    bogus ar member sizes.
 
   [ Updated scripts translations ]
   * Fix typos in German (Helge Kreutzmann)
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index 3c07a59..d11a030 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -65,7 +65,7 @@ dpkg_ar_member_get_size(const char *ar_name, struct ar_hdr *arh)
 		if (*str < '0' || *str > '9')
 			ohshit(_("invalid character '%c' in archive '%.250s' "
 			         "member '%.16s' size"),
-			       *str, arh->ar_name, ar_name);
+			       *str, ar_name, arh->ar_name);
 
 		size *= 10;
 		size += *str++ - '0';

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git