Issue 747 (and others?): Avoid OOB read when parsing multiple long lines

The mtree bidder needs to look several lines ahead
in the input.  It does this by extending the read-ahead
and parsing subsequent lines from the same growing buffer.
A bookkeeping error when extending the read-ahead would
sometimes lead it to significantly over-count the
size of the line being read.

Change-Id: I3f73c4eecfb3c86ef273666a7b1ed111ceb977fa
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>

diff --git a/libarchive/archive_read_support_format_mtree.c b/libarchive/archive_read_support_format_mtree.c
index 8c3be9a..ae58e87 100644 (file)
--- a/libarchive/archive_read_support_format_mtree.c
+++ b/libarchive/archive_read_support_format_mtree.c
@@ -301,6 +301,15 @@ get_line_size(const char *b, ssize_t avail, ssize_t *nlsize)
        return (avail);
 }
 
+/*
+ *  <---------------- ravail --------------------->
+ *  <-- diff ------> <---  avail ----------------->
+ *                   <---- len ----------->
+ * | Previous lines | line being parsed  nl extra |
+ *                  ^
+ *                  b
+ *
+ */
 static ssize_t
 next_line(struct archive_read *a,
     const char **b, ssize_t *avail, ssize_t *ravail, ssize_t *nl)
@@ -339,7 +348,7 @@ next_line(struct archive_read *a,
                *b += diff;
                *avail -= diff;
                tested = len;/* Skip some bytes we already determinated. */
-               len = get_line_size(*b, *avail, nl);
+               len = get_line_size(*b + len, *avail - len, nl);
                if (len >= 0)
                        len += tested;
        }