Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
27 | magnus | 1 | Origin: upstream, http://repo.or.cz/w/libtar.git/commitdiff/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04 |
2 | From: Chris Frey <cdfrey@foursquare.net> |
||
3 | Date: Tue, 1 Oct 2013 15:58:52 -0400 |
||
4 | Subject: [PATCH] Fixed size_t overflow bug, as reported by Timo Warns |
||
5 | |||
6 | --- |
||
7 | lib/block.c | 38 ++++++++++++++++++++++++-------------- |
||
8 | 1 file changed, 24 insertions(+), 14 deletions(-) |
||
9 | |||
10 | diff --git a/lib/block.c b/lib/block.c |
||
11 | index 2917dc6..092bc28 100644 |
||
12 | --- a/lib/block.c |
||
13 | +++ b/lib/block.c |
||
14 | @@ -90,8 +90,8 @@ th_read_internal(TAR *t) |
||
15 | int |
||
16 | th_read(TAR *t) |
||
17 | { |
||
18 | - int i, j; |
||
19 | - size_t sz; |
||
20 | + int i; |
||
21 | + size_t sz, j, blocks; |
||
22 | char *ptr; |
||
23 | |||
24 | #ifdef DEBUG |
||
25 | @@ -118,21 +118,26 @@ th_read(TAR *t) |
||
26 | if (TH_ISLONGLINK(t)) |
||
27 | { |
||
28 | sz = th_get_size(t); |
||
29 | - j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); |
||
30 | + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); |
||
31 | + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) |
||
32 | + { |
||
33 | + errno = E2BIG; |
||
34 | + return -1; |
||
35 | + } |
||
36 | #ifdef DEBUG |
||
37 | printf(" th_read(): GNU long linkname detected " |
||
38 | - "(%ld bytes, %d blocks)\n", sz, j); |
||
39 | + "(%ld bytes, %d blocks)\n", sz, blocks); |
||
40 | #endif |
||
41 | - t->th_buf.gnu_longlink = (char *)malloc(j * T_BLOCKSIZE); |
||
42 | + t->th_buf.gnu_longlink = (char *)malloc(blocks * T_BLOCKSIZE); |
||
43 | if (t->th_buf.gnu_longlink == NULL) |
||
44 | return -1; |
||
45 | |||
46 | - for (ptr = t->th_buf.gnu_longlink; j > 0; |
||
47 | - j--, ptr += T_BLOCKSIZE) |
||
48 | + for (j = 0, ptr = t->th_buf.gnu_longlink; j < blocks; |
||
49 | + j++, ptr += T_BLOCKSIZE) |
||
50 | { |
||
51 | #ifdef DEBUG |
||
52 | printf(" th_read(): reading long linkname " |
||
53 | - "(%d blocks left, ptr == %ld)\n", j, ptr); |
||
54 | + "(%d blocks left, ptr == %ld)\n", blocks-j, ptr); |
||
55 | #endif |
||
56 | i = tar_block_read(t, ptr); |
||
57 | if (i != T_BLOCKSIZE) |
||
58 | @@ -163,21 +168,26 @@ th_read(TAR *t) |
||
59 | if (TH_ISLONGNAME(t)) |
||
60 | { |
||
61 | sz = th_get_size(t); |
||
62 | - j = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); |
||
63 | + blocks = (sz / T_BLOCKSIZE) + (sz % T_BLOCKSIZE ? 1 : 0); |
||
64 | + if (blocks > ((size_t)-1 / T_BLOCKSIZE)) |
||
65 | + { |
||
66 | + errno = E2BIG; |
||
67 | + return -1; |
||
68 | + } |
||
69 | #ifdef DEBUG |
||
70 | printf(" th_read(): GNU long filename detected " |
||
71 | - "(%ld bytes, %d blocks)\n", sz, j); |
||
72 | + "(%ld bytes, %d blocks)\n", sz, blocks); |
||
73 | #endif |
||
74 | - t->th_buf.gnu_longname = (char *)malloc(j * T_BLOCKSIZE); |
||
75 | + t->th_buf.gnu_longname = (char *)malloc(blocks * T_BLOCKSIZE); |
||
76 | if (t->th_buf.gnu_longname == NULL) |
||
77 | return -1; |
||
78 | |||
79 | - for (ptr = t->th_buf.gnu_longname; j > 0; |
||
80 | - j--, ptr += T_BLOCKSIZE) |
||
81 | + for (j = 0, ptr = t->th_buf.gnu_longname; j < blocks; |
||
82 | + j++, ptr += T_BLOCKSIZE) |
||
83 | { |
||
84 | #ifdef DEBUG |
||
85 | printf(" th_read(): reading long filename " |
||
86 | - "(%d blocks left, ptr == %ld)\n", j, ptr); |
||
87 | + "(%d blocks left, ptr == %ld)\n", blocks-j, ptr); |
||
88 | #endif |
||
89 | i = tar_block_read(t, ptr); |
||
90 | if (i != T_BLOCKSIZE) |
||
91 | -- |
||
92 | 1.8.4.rc3 |
||
93 |