diff --git a/ChangeLog b/ChangeLog
index c0b212a..2dd7469 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-08-05 Stuart Caie <kyzer@cabextract.org.uk>
+
+ * cabd_read_string(): add missing error check on result of read().
+ If an mspack_system implementation returns an error, it's interpreted
+ as a huge positive integer, which leads to reading past the end of the
+ stack-based buffer. Thanks to Sebastian Andrzej Siewior for explaining
+ the problem. This issue was raised by ClamAV as CVE-2017-11423
+
2015-05-10 Stuart Caie <kyzer@4u.net>
* cabd_read_string(): correct rejection of empty strings. Thanks to
diff --git a/mspack/cabd.c b/mspack/cabd.c
index 16021ee..8b10934 100644
--- a/mspack/cabd.c
+++ b/mspack/cabd.c
@@ -521,10 +521,13 @@ static char *cabd_read_string(struct mspack_system *sys,
{
off_t base = sys->tell(fh);
char buf[256], *str;
- unsigned int len, i, ok;
+ int len, i, ok;
/* read up to 256 bytes */
- len = sys->read(fh, &buf[0], 256);
+ if ((len = sys->read(fh, &buf[0], 256)) <= 0) {
+ *error = MSPACK_ERR_READ;
+ return NULL;
+ }
/* search for a null terminator in the buffer */
for (i = 0, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
90824f085d9b13f87a8f0e12390f2bf6
>
files
>
3
