Fix buffer overflow in libarchive if a UTF-8 encoded string has codepoints that requi...

author Erik van der Kouwe <erik@minix3.org>

Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)

committer Erik van der Kouwe <erik@minix3.org>

Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)
author Erik van der Kouwe <erik@minix3.org>
Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)
committer Erik van der Kouwe <erik@minix3.org>
Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)
diff --git a/lib/libarchive/archive_string.c b/lib/libarchive/archive_string.c

index 4e57d62e1383281067bc38dd193d6fa482e32405..ce97e4d9165e45d6bae4be0d6df9c67e7a1b9b95 100644 (file)
--- a/lib/libarchive/archive_string.c
+++ b/lib/libarchive/archive_string.c
@@ -291,8 +291,13 @@ __archive_string_utf8_w(struct archive_string *as)
         int wc, wc2;/* Must be large enough for a 21-bit Unicode code point. */
         const char *src;
         int n;
+       size_t size;
  
-       ws = (wchar_t *)malloc((as->length + 1) * sizeof(wchar_t));
+       /* be pessimistic; UCS4 always takes up four bytes per char while 
+        * UTF-16 may takes four bytes per char (except the 0 terminator)
+        */
+       size = as->length * 4 + sizeof(wchar_t);
+       ws = (wchar_t *)malloc(size);
         if (ws == NULL)
                 __archive_errx(1, "Out of memory");
         dest = ws;
author	Erik van der Kouwe <erik@minix3.org>
	Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)
committer	Erik van der Kouwe <erik@minix3.org>
	Mon, 23 Aug 2010 16:32:05 +0000 (16:32 +0000)