| Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame] | 1 | CVE: CVE-2018-1000880 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 4 | |
| 5 | From 9c84b7426660c09c18cc349f6d70b5f8168b5680 Mon Sep 17 00:00:00 2001 |
| 6 | From: Daniel Axtens <dja@axtens.net> |
| 7 | Date: Tue, 4 Dec 2018 16:33:42 +1100 |
| 8 | Subject: [PATCH] warc: consume data once read |
| 9 | |
| 10 | The warc decoder only used read ahead, it wouldn't actually consume |
| 11 | data that had previously been printed. This means that if you specify |
| 12 | an invalid content length, it will just reprint the same data over |
| 13 | and over and over again until it hits the desired length. |
| 14 | |
| 15 | This means that a WARC resource with e.g. |
| 16 | Content-Length: 666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666665 |
| 17 | but only a few hundred bytes of data, causes a quasi-infinite loop. |
| 18 | |
| 19 | Consume data in subsequent calls to _warc_read. |
| 20 | |
| 21 | Found with an AFL + afl-rb + qsym setup. |
| 22 | --- |
| 23 | libarchive/archive_read_support_format_warc.c | 5 +++++ |
| 24 | 1 file changed, 5 insertions(+) |
| 25 | |
| 26 | diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c |
| 27 | index e8753853..e8fc8428 100644 |
| 28 | --- a/libarchive/archive_read_support_format_warc.c |
| 29 | +++ b/libarchive/archive_read_support_format_warc.c |
| 30 | @@ -386,6 +386,11 @@ _warc_read(struct archive_read *a, const void **buf, size_t *bsz, int64_t *off) |
| 31 | return (ARCHIVE_EOF); |
| 32 | } |
| 33 | |
| 34 | + if (w->unconsumed) { |
| 35 | + __archive_read_consume(a, w->unconsumed); |
| 36 | + w->unconsumed = 0U; |
| 37 | + } |
| 38 | + |
| 39 | rab = __archive_read_ahead(a, 1U, &nrd); |
| 40 | if (nrd < 0) { |
| 41 | *bsz = 0U; |
| 42 | -- |
| 43 | 2.20.0 |
| 44 | |