From 36c8800ff3da92a8c36df93ec2e906a26441a0e8 Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Fri, 18 Aug 2017 10:56:59 +0200 Subject: [PATCH] Preventing buffer underread with empty RRIP SL component. Debian bug 872475. Thanks Jakub Wilk and American Fuzzy Lop. --- libisofs/rockridge_read.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libisofs/rockridge_read.c b/libisofs/rockridge_read.c index 4dbc78a..bd92ceb 100644 --- a/libisofs/rockridge_read.c +++ b/libisofs/rockridge_read.c @@ -388,12 +388,18 @@ int read_rr_SL(struct susp_sys_user_entry *sl, char **dest, int *cont) if (*cont == 1) { /* new component */ size_t size = strlen(*dest); + int has_slash; + *dest = realloc(*dest, strlen(*dest) + len + 2); if (*dest == NULL) { return ISO_OUT_OF_MEM; } /* it is a new compoenent, add the '/' */ - if ((*dest)[size-1] != '/') { + has_slash = 0; + if (size > 0) + if ((*dest)[size - 1] == '/') + has_slash = 1; + if (!has_slash) { (*dest)[size] = '/'; (*dest)[size+1] = '\0'; }