[strip-nondeterminism] 02/02: Fix a possible endless loop while stripping ar files due to trusting the file's file size data. Thanks to Tobias Stoeckmann (tobias at stoeckmann.org) for the report, patch and testcase. (Closes: #857975)

[Chris Lamb]

This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository strip-nondeterminism.

commit 083b174c7c9245fed90af61ca8c001c8ead1b6d7
Author: Chris Lamb <lamby at debian.org>
Date:   Fri Mar 17 09:19:25 2017 +0100

    Fix a possible endless loop while stripping ar files due to trusting the file's file size data. Thanks to Tobias Stoeckmann (tobias at stoeckmann.org) for the report, patch and testcase. (Closes: #857975)
    
    Signed-off-by: Chris Lamb <lamby at debian.org>
---
 lib/File/StripNondeterminism/handlers/ar.pm | 4 ++++
 t/failures/ar/857975.a                      | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/lib/File/StripNondeterminism/handlers/ar.pm b/lib/File/StripNondeterminism/handlers/ar.pm
index 660fa8f..08a1925 100644
--- a/lib/File/StripNondeterminism/handlers/ar.pm
+++ b/lib/File/StripNondeterminism/handlers/ar.pm
@@ -65,6 +65,10 @@ sub normalize {
 
 		my $file_mode = oct(substr($buf, 40, 8));
 		my $file_size = substr($buf, 48, 10);
+
+		die "Incorrect file size"
+		  if $file_size < 1;
+
 		seek $fh, $file_header_start + 16, SEEK_SET;
 
 		# mtime
diff --git a/t/failures/ar/857975.a b/t/failures/ar/857975.a
new file mode 100644
index 0000000..dfb8a49
--- /dev/null
+++ b/t/failures/ar/857975.a
@@ -0,0 +1,2 @@
+!<arch>
+/               0           0     0     644     -60       `

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/strip-nondeterminism.git