Commit 6b9a07d1 authored by Timo Teräs's avatar Timo Teräs

archive: fix incorrect bounds checking for memory allocation

The value from tar header is unsigned int; keep it casted to
unsigned int and size_t instead of (signed) int, otherwise
the comparisons fail to do their job properly. Additionally check
entry.size against SSIZE_MAX so the rounding up later on is
guaranteed to not overflow.

Fixes CVE-2017-9669 and CVE-2017-9671.
Reported-by: Ariel Zelivansky from Twistlock
parent 5d439c47
......@@ -59,7 +59,7 @@ struct apk_tar_digest_info {
#define GET_OCTAL(s) get_octal(s, sizeof(s))
#define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v)
static int get_octal(char *s, size_t l)
static unsigned int get_octal(char *s, size_t l)
apk_blob_t b = APK_BLOB_PTR_LEN(s, l);
return apk_blob_pull_uint(&b, 8);
......@@ -133,7 +133,7 @@ static void tar_entry_close(void *stream)
static int blob_realloc(apk_blob_t *b, int newsize)
static int blob_realloc(apk_blob_t *b, size_t newsize)
char *tmp;
if (b->len >= newsize) return 0;
......@@ -233,6 +233,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser,
teis.mtime = entry.mtime;
apk_xattr_array_resize(&entry.xattrs, 0);
if (entry.size >= SSIZE_MAX-512) goto err;
if (paxlen) {
handle_extended_header(&entry, APK_BLOB_PTR_LEN(pax.ptr, paxlen));
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment