dpkg-deb: Fix off-by-one write access on ctrllenbuf variable

This affects old format .deb packages. Fixes: CVE-2015-0860 Warned-by: afl Signed-off-by: Guillem Jover <guillem@debian.org> Stable-Candidate: 1.16.x 1.17.x
author: Hanno Böck <hanno@hboeck.de> 2015-11-19 20:03:10 +0100
committer: Guillem Jover <guillem@debian.org> 2015-12-19 20:22:15 +0100
commit: c66cdd38c195a44c33e73d016372ac0ef775c4de (patch)
tree: 9dcade3af2be9121429845d99d8320f9e692bce7 /dpkg-deb/extract.c
parent: 77337a8b0f6f789d79032486157f6d9260c2c53e (diff)
download: dpkg-c66cdd38c195a44c33e73d016372ac0ef775c4de.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index 91445c674..6c6349874 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -247,7 +247,7 @@ extracthalf(const char *debar, const char *dir,
     if (errstr)
       ohshit(_("archive has invalid format version: %s"), errstr);
 
-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
     if (r < 0)
       read_fail(r, debar, _("archive control member size"));
     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
author	Hanno Böck <hanno@hboeck.de>	2015-11-19 20:03:10 +0100
committer	Guillem Jover <guillem@debian.org>	2015-12-19 20:22:15 +0100
commit	c66cdd38c195a44c33e73d016372ac0ef775c4de (patch)
tree	9dcade3af2be9121429845d99d8320f9e692bce7 /dpkg-deb/extract.c
parent	77337a8b0f6f789d79032486157f6d9260c2c53e (diff)
download	dpkg-c66cdd38c195a44c33e73d016372ac0ef775c4de.tar.gz