From 9274fe071004f02dcd64eba5f40b342e40bc2fd1 Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Sun, 11 May 2014 08:11:22 +0200 Subject: libdpkg: Swap deb name and member name in dpkg_ar_member_get_size() Otherwise we might perform an out of bounds buffer read access in the error output on bogus member sizes. --- debian/changelog | 2 ++ lib/dpkg/ar.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 71eae271f..f825e8d36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ dpkg (1.17.10) UNRELEASED; urgency=low embed libcompat inside libdpkg, as required by some external programs linking against the latter. Closes: #746122 * Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3. + * Fix possible out of bounds buffer read access in the error output on + bogus ar member sizes. [ Updated manpages translations ] * German (Helge Kreutzmann). diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c index 96c226416..cf540a069 100644 --- a/lib/dpkg/ar.c +++ b/lib/dpkg/ar.c @@ -77,7 +77,7 @@ dpkg_ar_member_get_size(const char *ar_name, struct ar_hdr *arh) if (*str < '0' || *str > '9') ohshit(_("invalid character '%c' in archive '%.250s' " "member '%.16s' size"), - *str, arh->ar_name, ar_name); + *str, ar_name, arh->ar_name); size *= 10; size += *str++ - '0'; -- cgit v1.2.3