libdpkg: Swap deb name and member name in dpkg_ar_member_get_size()

Otherwise we might perform an out of bounds buffer read access in the error output on bogus member sizes.
author: Guillem Jover <guillem@debian.org> 2014-05-11 08:11:22 +0200
committer: Guillem Jover <guillem@debian.org> 2014-05-17 09:29:09 +0200
commit: 9274fe071004f02dcd64eba5f40b342e40bc2fd1 (patch)
tree: 965bddd1d81663196e1e777bb1d8d0d38a739f89
parent: df4f36e172b43bdb2336ba5a2747da439f1fc09d (diff)
download: dpkg-9274fe071004f02dcd64eba5f40b342e40bc2fd1.tar.gz
2 files changed, 3 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 71eae271f..f825e8d36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ dpkg (1.17.10) UNRELEASED; urgency=low
     embed libcompat inside libdpkg, as required by some external programs
     linking against the latter. Closes: #746122
   * Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3.
+  * Fix possible out of bounds buffer read access in the error output on
+    bogus ar member sizes.
 
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index 96c226416..cf540a069 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -77,7 +77,7 @@ dpkg_ar_member_get_size(const char *ar_name, struct ar_hdr *arh)
 		if (*str < '0' || *str > '9')
 			ohshit(_("invalid character '%c' in archive '%.250s' "
 			         "member '%.16s' size"),
-			       *str, arh->ar_name, ar_name);
+			       *str, ar_name, arh->ar_name);
 
 		size *= 10;
 		size += *str++ - '0';
author	Guillem Jover <guillem@debian.org>	2014-05-11 08:11:22 +0200
committer	Guillem Jover <guillem@debian.org>	2014-05-17 09:29:09 +0200
commit	9274fe071004f02dcd64eba5f40b342e40bc2fd1 (patch)
tree	965bddd1d81663196e1e777bb1d8d0d38a739f89
parent	df4f36e172b43bdb2336ba5a2747da439f1fc09d (diff)
download	dpkg-9274fe071004f02dcd64eba5f40b342e40bc2fd1.tar.gz