From 285371126a44d50bf81fe7957560bc0c048d1fdb Mon Sep 17 00:00:00 2001 From: Timo Teräs Date: Wed, 21 Jun 2017 15:12:02 +0300 Subject: archive: fix incorrect bounds checking for memory allocation The value from tar header is unsigned int; keep it casted to unsigned int and size_t instead of (signed) int, otherwise the comparisons fail to do their job properly. Additionally check entry.size against SSIZE_MAX so the rounding up later on is guaranteed to not overflow. Fixes CVE-2017-9669 and CVE-2017-9671. Reported-by: Ariel Zelivansky from Twistlock (cherry picked from commit 286aa77ef1811e477895713df162c92b2ffc6df8) --- src/archive.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/archive.c b/src/archive.c index e86a53a..1f36604 100644 --- a/src/archive.c +++ b/src/archive.c @@ -59,7 +59,7 @@ struct apk_tar_digest_info { #define GET_OCTAL(s) get_octal(s, sizeof(s)) #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) -static int get_octal(char *s, size_t l) +static unsigned int get_octal(char *s, size_t l) { apk_blob_t b = APK_BLOB_PTR_LEN(s, l); return apk_blob_pull_uint(&b, 8); @@ -128,7 +128,7 @@ static void tar_entry_close(void *stream) { } -static int blob_realloc(apk_blob_t *b, int newsize) +static int blob_realloc(apk_blob_t *b, size_t newsize) { char *tmp; if (b->len >= newsize) return 0; @@ -228,6 +228,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, teis.mtime = entry.mtime; apk_xattr_array_resize(&entry.xattrs, 0); + if (entry.size >= SSIZE_MAX-512) goto err; + if (paxlen) { handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen)); apk_fileinfo_hash_xattr(&entry); -- cgit v1.2.3