|
| From: | Florian Weimer |
| Subject: | Re: [Bug-cpio] out-of-bounds write with cpio -i |
| Date: | Mon, 01 Dec 2014 14:52:42 +0100 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 |
On 12/01/2014 02:46 PM, Sergey Poznyakoff wrote:
+static char *
+get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
+{
+ off_t n = file_hdr->c_filesize + 1;
+ char *link_name;
+
+ if (n == 0 || n > SIZE_MAX)
+ {
+ error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
+ link_name = NULL;
+ }
+ else
+ {
+ link_name = xmalloc (n);
+ tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+ link_name[file_hdr->c_filesize] = '\0';
+ tape_skip_padding (in_file_des, file_hdr->c_filesize);
+ }
+ return link_name;
+}
Thanks for the patch, but I'm not sure if it is correct.off_t is signed, so you need to check for out-of-bounds values before adding 1 (because signed overflow is undefined), and you also have to guard against negative values.
-- Florian Weimer / Red Hat Product Security
| [Prev in Thread] | Current Thread | [Next in Thread] |