| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | libarchive-3.3.2: Fix bug929 |
| 2 | |
| 3 | [No upstream tracking] -- https://github.com/libarchive/libarchive/pull/929 |
| 4 | |
| 5 | archive_read_support_format_cpio: header_newc(): Avoid overflow when reading corrupt |
| 6 | cpio archive |
| 7 | |
| 8 | A cpio "newc" archive with a namelength of "FFFFFFFF", if read on a |
| 9 | system with a 32-bit size_t, would result in namelength + name_pad |
| 10 | overflowing 32 bits and libarchive attempting to copy 2^32-1 bytes |
| 11 | from a 2-byte buffer, with appropriately hilarious results. |
| 12 | |
| 13 | Check for this overflow and fail; there's no legitimate reason for a |
| 14 | cpio archive to contain a file with a name over 4 billion characters |
| 15 | in length. |
| 16 | |
| 17 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bac4659e0b970990e7e3f3a3d239294e96311630] |
| 18 | Bug: 929 |
| 19 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 20 | |
| 21 | diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c |
| 22 | index ad9f782..1faa64d 100644 |
| 23 | --- a/libarchive/archive_read_support_format_cpio.c |
| 24 | +++ b/libarchive/archive_read_support_format_cpio.c |
| 25 | @@ -633,6 +633,13 @@ header_newc(struct archive_read *a, struct cpio *cpio, |
| 26 | /* Pad name to 2 more than a multiple of 4. */ |
| 27 | *name_pad = (2 - *namelength) & 3; |
| 28 | |
| 29 | + /* Make sure that the padded name length fits into size_t. */ |
| 30 | + if ((size_t)(*namelength + *name_pad) < *namelength) { |
| 31 | + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, |
| 32 | + "cpio archive has invalid namelength"); |
| 33 | + return (ARCHIVE_FATAL); |
| 34 | + } |
| 35 | + |
| 36 | /* |
| 37 | * Note: entry_bytes_remaining is at least 64 bits and |
| 38 | * therefore guaranteed to be big enough for a 33-bit file |