[Reproducible-commits] [dpkg] 17/18: libdpkg: Fix an off-by-one read access in ar member name variable

[Holger Levsen]

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag 1.17.26
in repository dpkg.

commit 1406d62ac9fe34baa9daea01e136c03971b94de8
Author: Hanno Böck <hanno at hboeck.de>
Date:   Thu Nov 19 01:31:19 2015 +0100

    libdpkg: Fix an off-by-one read access in ar member name variable
    
    The problem here is that due to the previous loop the variable ‘i’ can
    be -1 and thus the expression in the conditional reads invalid memory.
    
    [guillem at debian.org:
     - Remove surrounding parenthesis. ]
    
    Warned-by: afl
    Signed-off-by: Guillem Jover <guillem at debian.org>
---
 debian/changelog | 2 ++
 lib/dpkg/ar.c    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 9b229aa..cdb6f6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ dpkg (1.17.26) UNRELEASED; urgency=low
   * Fix an off-by-one write access in dpkg-deb when parsing the old format
     .deb control member size. Thanks to Hanno Böck <hanno at hboeck.de>.
     Fixes CVE-2015-0860.
+  * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
+    Thanks to Hanno Böck <hanno at hboeck.de>.
 
   [ Updated programs translations ]
   * Catalan (Jordi Mallach).
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index cf540a0..97eefb6 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -57,7 +57,7 @@ dpkg_ar_normalize_name(struct ar_hdr *arh)
 		name[i] = '\0';
 
 	/* Remove optional slash terminator (on GNU-style archives). */
-	if (name[i] == '/')
+	if (i >= 0 && name[i] == '/')
 		name[i] = '\0';
 }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git