Fiz /usr/bin/unzip: A bug deep in libarchive's read-ahead logic

(incorrect handling of zero-length reads before the copy buffer is allocated) is masked by the iso9660 taster. Tar and cpio both enable that taster so were protected from the bug; unzip is susceptible. This both fixes the bug and updates the test harness to exercise this case. Submitted by: Ed Schouten diagnosed the bug and drafted a patch MFC after: 7 days
2009-09-08 05:02:41 +00:00 · 2009-09-08 05:02:41 +00:00 · 466017cf76
commit 466017cf76
parent 26baaf0169
2 changed files with 6 additions and 3 deletions
--- a/lib/libarchive/archive_read.c
+++ b/lib/libarchive/archive_read.c
@ -928,9 +928,12 @@ __archive_read_filter_ahead(struct archive_read_filter *filter,
 	for (;;) {

 		/*
-		 * If we can satisfy from the copy buffer, we're done.
+		 * If we can satisfy from the copy buffer (and the
+		 * copy buffer isn't empty), we're done.  In particular,
+		 * note that min == 0 is a perfectly well-defined
+		 * request.
 		 */
-		if (filter->avail >= min) {
+		if (filter->avail >= min && filter->avail > 0) {
 			if (avail != NULL)
 				*avail = filter->avail;
 			return (filter->next);
--- a/lib/libarchive/test/test_compat_zip.c
+++ b/lib/libarchive/test/test_compat_zip.c
@ -36,7 +36,7 @@ test_compat_zip_1(void)

 	assert((a = archive_read_new()) != NULL);
 	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_compression_all(a));
-	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_zip(a));
 	extract_reference_file(name);
 	assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, name, 10240));