io: harden apk_fileinfo_get

Do not attempt to get xattrs from symlinks. Their extraction is not
supported either.

Do not use alloca.

1 files changed, 3 insertions, 5 deletions

diff --git a/src/io.c b/src/io.c
index 0a441bc..65dee6a 100644
--- a/src/io.c
+++ b/src/io.c
@@ -737,7 +737,7 @@ int apk_fileinfo_get(int atfd, const char *filename, unsigned int flags,
 		.device = st.st_dev,
 	};
 
-	if (xattr_checksum != APK_CHECKSUM_NONE) {
+	if (xattr_checksum != APK_CHECKSUM_NONE && !S_ISLNK(fi->mode)) {
 		ssize_t len, vlen;
 		int fd, i, r;
 		char val[1024], buf[1024];
@@ -775,12 +775,10 @@ int apk_fileinfo_get(int atfd, const char *filename, unsigned int flags,
 
 	/* Checksum file content */
 	if ((flags & APK_FI_NOFOLLOW) && S_ISLNK(st.st_mode)) {
-		char *target = alloca(st.st_size);
-		if (target == NULL)
-			return -ENOMEM;
+		char target[PATH_MAX];
+		if (st.st_size > sizeof target) return -ENOMEM;
 		if (readlinkat(atfd, filename, target, st.st_size) < 0)
 			return -errno;
-
 		EVP_Digest(target, st.st_size, fi->csum.data, NULL,
 			   apk_checksum_evp(checksum), NULL);
 		fi->csum.type = checksum;