summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2017-06-21 15:12:02 +0300
committerTimo Teräs <timo.teras@iki.fi>2017-06-23 09:59:55 +0300
commit74484710d67a92d89dfc45e0d04c02b6ee9cb1ec (patch)
tree9ea8ceb9f485b924f26495fb9a5eb1de49bdea2a
parentd5dad7b7eba2434342ef663e370c4499567c1b59 (diff)
downloadapk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.gz
apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.bz2
apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.tar.xz
apk-tools-74484710d67a92d89dfc45e0d04c02b6ee9cb1ec.zip
archive: fix incorrect bounds checking for memory allocation
The value from tar header is unsigned int; keep it casted to unsigned int and size_t instead of (signed) int, otherwise the comparisons fail to do their job properly. Additionally check entry.size against SSIZE_MAX so the rounding up later on is guaranteed to not overflow. Fixes CVE-2017-9669 and CVE-2017-9671. Reported-by: Ariel Zelivansky from Twistlock (cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
-rw-r--r--src/archive.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/archive.c b/src/archive.c
index 07b33e2..eb9e67c 100644
--- a/src/archive.c
+++ b/src/archive.c
@@ -59,7 +59,7 @@ struct apk_tar_digest_info {
#define GET_OCTAL(s) get_octal(s, sizeof(s))
#define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v)
-static int get_octal(char *s, size_t l)
+static unsigned int get_octal(char *s, size_t l)
{
apk_blob_t b = APK_BLOB_PTR_LEN(s, l);
return apk_blob_pull_uint(&b, 8);
@@ -133,7 +133,7 @@ static void tar_entry_close(void *stream)
{
}
-static int blob_realloc(apk_blob_t *b, int newsize)
+static int blob_realloc(apk_blob_t *b, size_t newsize)
{
char *tmp;
if (b->len >= newsize) return 0;
@@ -233,6 +233,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
teis.mtime = entry.mtime;
apk_xattr_array_resize(&entry.xattrs, 0);
+ if (entry.size >= SSIZE_MAX-512) goto err;
+
if (paxlen) {
handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen));
apk_fileinfo_hash_xattr(&entry);