libarchive/contribs9/libarchive-2.8.3-CVE-2016-5844.patch

From cdd485bc519e09aeadc138a6a3002b10bf47c12c Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 19 Jun 2016 14:34:37 -0700
Subject: [PATCH] Issue 717: Fix integer overflow when computing location of
 volume descriptor

The multiplication here defaulted to 'int' but calculations
of file positions should always use int64_t.  A simple cast
suffices to fix this since the base location is always 32 bits
for ISO, so multiplying by the sector size will never overflow
a 64-bit integer.
---
 libarchive/archive_read_support_format_iso9660.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
index fac2404..4ed3935 100644
--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
@@ -1143,7 +1143,7 @@ archive_read_format_iso9660_read_header(struct archive_read *a,
                        /* This condition is unlikely; by way of caution. */
                        vd = &(iso9660->joliet);
 
-               skipsize = LOGICAL_BLOCK_SIZE * vd->location;
+               skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
                skipsize = __archive_read_skip(a, skipsize);
                if (skipsize < 0)
                        return ((int)skipsize);
@@ -1180,7 +1180,7 @@ archive_read_format_iso9660_read_header(struct archive_read *a,
                    && iso9660->seenJoliet) {
                        /* Switch reading data from primary to joliet. */ 
                        vd = &(iso9660->joliet);
-                       skipsize = LOGICAL_BLOCK_SIZE * vd->location;
+                       skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
                        skipsize -= iso9660->current_position;
                        skipsize = __archive_read_skip(a, skipsize);
                        if (skipsize < 0)
-- 
2.7.4

1	jpp	1.1	From cdd485bc519e09aeadc138a6a3002b10bf47c12c Mon Sep 17 00:00:00 2001
2			From: Tim Kientzle <kientzle@acm.org>
3			Date: Sun, 19 Jun 2016 14:34:37 -0700
4			Subject: [PATCH] Issue 717: Fix integer overflow when computing location of
5			volume descriptor
6
7			The multiplication here defaulted to 'int' but calculations
8			of file positions should always use int64_t. A simple cast
9			suffices to fix this since the base location is always 32 bits
10			for ISO, so multiplying by the sector size will never overflow
11			a 64-bit integer.
12			---
13			libarchive/archive_read_support_format_iso9660.c \| 4 ++--
14			1 file changed, 2 insertions(+), 2 deletions(-)
15
16			diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
17			index fac2404..4ed3935 100644
18			--- a/libarchive/archive_read_support_format_iso9660.c
19			+++ b/libarchive/archive_read_support_format_iso9660.c
20			@@ -1143,7 +1143,7 @@ archive_read_format_iso9660_read_header(struct archive_read *a,
21			/* This condition is unlikely; by way of caution. */
22			vd = &(iso9660->joliet);
23
24			- skipsize = LOGICAL_BLOCK_SIZE * vd->location;
25			+ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
26			skipsize = __archive_read_skip(a, skipsize);
27			if (skipsize < 0)
28			return ((int)skipsize);
29			@@ -1180,7 +1180,7 @@ archive_read_format_iso9660_read_header(struct archive_read *a,
30			&& iso9660->seenJoliet) {
31			/* Switch reading data from primary to joliet. */
32			vd = &(iso9660->joliet);
33			- skipsize = LOGICAL_BLOCK_SIZE * vd->location;
34			+ skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location;
35			skipsize -= iso9660->current_position;
36			skipsize = __archive_read_skip(a, skipsize);
37			if (skipsize < 0)
38			--
39			2.7.4
40