Partially fix CVE-2014-9112, part 2/5. From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Mon, 01 Dec 2014 19:10:39 +0000 Subject: Bugfix * src/copyin.c (get_link_name): Fix range checking. * tests/symlink-bad-length.at: Change expected error message. --- diff --git a/src/copyin.c b/src/copyin.c index c502c7d..042cc41 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset) static char * get_link_name (struct cpio_file_stat *file_hdr, int in_file_des) { - off_t n = file_hdr->c_filesize + 1; char *link_name; - if (n == 0 || n > SIZE_MAX) + if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1) { - error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name); + error (0, 0, _("%s: stored filename length is out of range"), + file_hdr->c_name); link_name = NULL; } else { - link_name = xmalloc (n); + link_name = xmalloc (file_hdr->c_filesize); tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); link_name[file_hdr->c_filesize] = '\0'; tape_skip_padding (in_file_des, file_hdr->c_filesize); diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at index 6f804b1..cbf4aa7 100644 --- a/tests/symlink-bad-length.at +++ b/tests/symlink-bad-length.at @@ -42,7 +42,7 @@ test $? -eq 2 ], [0], [-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE -],[cpio: LINK: stored filename length too big +],[cpio: LINK: stored filename length is out of range cpio: premature end of file ]) -- cgit v0.9.0.2