summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2017-06-21 15:12:02 +0300
committerTimo Teräs <timo.teras@iki.fi>2017-06-23 10:03:16 +0300
commit285371126a44d50bf81fe7957560bc0c048d1fdb (patch)
tree4442e2e040e367f17e414edf13fa954a74b365fb
parentd07f777934d4377b3f189bf3e057653748b1daa3 (diff)
downloadapk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.tar.bz2
apk-tools-285371126a44d50bf81fe7957560bc0c048d1fdb.tar.xz
archive: fix incorrect bounds checking for memory allocation
The value from tar header is unsigned int; keep it casted to unsigned int and size_t instead of (signed) int, otherwise the comparisons fail to do their job properly. Additionally check entry.size against SSIZE_MAX so the rounding up later on is guaranteed to not overflow. Fixes CVE-2017-9669 and CVE-2017-9671. Reported-by: Ariel Zelivansky from Twistlock (cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8)
-rw-r--r--src/archive.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/archive.c b/src/archive.c
index e86a53a..1f36604 100644
--- a/src/archive.c
+++ b/src/archive.c
@@ -59,7 +59,7 @@ struct apk_tar_digest_info {
#define GET_OCTAL(s) get_octal(s, sizeof(s))
#define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v)
-static int get_octal(char *s, size_t l)
+static unsigned int get_octal(char *s, size_t l)
{
apk_blob_t b = APK_BLOB_PTR_LEN(s, l);
return apk_blob_pull_uint(&b, 8);
@@ -128,7 +128,7 @@ static void tar_entry_close(void *stream)
{
}
-static int blob_realloc(apk_blob_t *b, int newsize)
+static int blob_realloc(apk_blob_t *b, size_t newsize)
{
char *tmp;
if (b->len >= newsize) return 0;
@@ -228,6 +228,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
teis.mtime = entry.mtime;
apk_xattr_array_resize(&entry.xattrs, 0);
+ if (entry.size >= SSIZE_MAX-512) goto err;
+
if (paxlen) {
handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen));
apk_fileinfo_hash_xattr(&entry);