diff options
author | Timo Teräs <timo.teras@iki.fi> | 2017-06-21 15:12:02 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2017-06-23 10:03:16 +0300 |
commit | 285371126a44d50bf81fe7957560bc0c048d1fdb (patch) | |
tree | 4442e2e040e367f17e414edf13fa954a74b365fb | |
parent | d07f777934d4377b3f189bf3e057653748b1daa3 (diff) | |
download | apk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.tar.gz apk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.tar.bz2 apk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.tar.xz apk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.zip |
archive: fix incorrect bounds checking for memory allocation
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.
Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
-rw-r--r-- | src/archive.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/archive.c b/src/archive.c index e86a53a..1f36604 100644 --- a/src/archive.c +++ b/src/archive.c @@ -59,7 +59,7 @@ struct apk_tar_digest_info { #define GET_OCTAL(s) get_octal(s, sizeof(s)) #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) -static int get_octal(char *s, size_t l) +static unsigned int get_octal(char *s, size_t l) { apk_blob_t b = APK_BLOB_PTR_LEN(s, l); return apk_blob_pull_uint(&b, 8); @@ -128,7 +128,7 @@ static void tar_entry_close(void *stream) { } -static int blob_realloc(apk_blob_t *b, int newsize) +static int blob_realloc(apk_blob_t *b, size_t newsize) { char *tmp; if (b->len >= newsize) return 0; @@ -228,6 +228,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, teis.mtime = entry.mtime; apk_xattr_array_resize(&entry.xattrs, 0); + if (entry.size >= SSIZE_MAX-512) goto err; + if (paxlen) { handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen)); apk_fileinfo_hash_xattr(&entry); |