Andrew Geissler | 6aa7eec | 2023-03-03 12:41:14 -0600 | [diff] [blame^] | 1 | From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 |
| 2 | From: Sergey Poznyakoff <gray@gnu.org> |
| 3 | Date: Sat, 11 Feb 2023 11:57:39 +0200 |
| 4 | Subject: Fix boundary checking in base-256 decoder |
| 5 | |
| 6 | * src/list.c (from_header): Base-256 encoding is at least 2 bytes |
| 7 | long. |
| 8 | |
| 9 | Upstream-Status: Backport [see reference below] |
| 10 | CVE: CVE-2022-48303 |
| 11 | |
| 12 | Reference to upstream patch: |
| 13 | https://savannah.gnu.org/bugs/?62387 |
| 14 | https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 |
| 15 | |
| 16 | Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> |
| 17 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| 18 | --- |
| 19 | src/list.c | 5 +++-- |
| 20 | 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> |
| 21 | |
| 22 | |
| 23 | (limited to 'src/list.c') |
| 24 | |
| 25 | diff --git a/src/list.c b/src/list.c |
| 26 | index 9fafc42..86bcfdd 100644 |
| 27 | --- a/src/list.c |
| 28 | +++ b/src/list.c |
| 29 | @@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, |
| 30 | where++; |
| 31 | } |
| 32 | } |
| 33 | - else if (*where == '\200' /* positive base-256 */ |
| 34 | - || *where == '\377' /* negative base-256 */) |
| 35 | + else if (where <= lim - 2 |
| 36 | + && (*where == '\200' /* positive base-256 */ |
| 37 | + || *where == '\377' /* negative base-256 */)) |
| 38 | { |
| 39 | /* Parse base-256 output. A nonnegative number N is |
| 40 | represented as (256**DIGS)/2 + N; a negative number -N is |
| 41 | -- |
| 42 | cgit v1.1 |
| 43 | |