diff options
author | Timo Teräs <timo.teras@iki.fi> | 2017-06-21 15:12:02 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2017-06-23 09:59:55 +0300 |
commit | 74484710d67a92d89dfc45e0d04c02b6ee9cb1ec (patch) | |
tree | 9ea8ceb9f485b924f26495fb9a5eb1de49bdea2a | |
parent | d5dad7b7eba2434342ef663e370c4499567c1b59 (diff) | |
download | apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.gz apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.bz2 apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.xz apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.zip |
archive: fix incorrect bounds checking for memory allocation
The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.
Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
(cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
-rw-r--r-- | src/archive.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/archive.c b/src/archive.c index 07b33e2..eb9e67c 100644 --- a/src/archive.c +++ b/src/archive.c @@ -59,7 +59,7 @@ struct apk_tar_digest_info { #define GET_OCTAL(s) get_octal(s, sizeof(s)) #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) -static int get_octal(char *s, size_t l) +static unsigned int get_octal(char *s, size_t l) { apk_blob_t b = APK_BLOB_PTR_LEN(s, l); return apk_blob_pull_uint(&b, 8); @@ -133,7 +133,7 @@ static void tar_entry_close(void *stream) { } -static int blob_realloc(apk_blob_t *b, int newsize) +static int blob_realloc(apk_blob_t *b, size_t newsize) { char *tmp; if (b->len >= newsize) return 0; @@ -233,6 +233,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, teis.mtime = entry.mtime; apk_xattr_array_resize(&entry.xattrs, 0); + if (entry.size >= SSIZE_MAX-512) goto err; + if (paxlen) { handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen)); apk_fileinfo_hash_xattr(&entry); |