52 lines
1.6 KiB
Diff
52 lines
1.6 KiB
Diff
Partially fix CVE-2014-9112, part 2/5.
|
|
|
|
From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001
|
|
From: Sergey Poznyakoff <gray@gnu.org.ua>
|
|
Date: Mon, 01 Dec 2014 19:10:39 +0000
|
|
Subject: Bugfix
|
|
|
|
* src/copyin.c (get_link_name): Fix range checking.
|
|
* tests/symlink-bad-length.at: Change expected error message.
|
|
---
|
|
diff --git a/src/copyin.c b/src/copyin.c
|
|
index c502c7d..042cc41 100644
|
|
--- a/src/copyin.c
|
|
+++ b/src/copyin.c
|
|
@@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset)
|
|
static char *
|
|
get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
|
|
{
|
|
- off_t n = file_hdr->c_filesize + 1;
|
|
char *link_name;
|
|
|
|
- if (n == 0 || n > SIZE_MAX)
|
|
+ if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
|
|
{
|
|
- error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
|
|
+ error (0, 0, _("%s: stored filename length is out of range"),
|
|
+ file_hdr->c_name);
|
|
link_name = NULL;
|
|
}
|
|
else
|
|
{
|
|
- link_name = xmalloc (n);
|
|
+ link_name = xmalloc (file_hdr->c_filesize);
|
|
tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
|
|
link_name[file_hdr->c_filesize] = '\0';
|
|
tape_skip_padding (in_file_des, file_hdr->c_filesize);
|
|
diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
|
|
index 6f804b1..cbf4aa7 100644
|
|
--- a/tests/symlink-bad-length.at
|
|
+++ b/tests/symlink-bad-length.at
|
|
@@ -42,7 +42,7 @@ test $? -eq 2
|
|
],
|
|
[0],
|
|
[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
|
|
-],[cpio: LINK: stored filename length too big
|
|
+],[cpio: LINK: stored filename length is out of range
|
|
cpio: premature end of file
|
|
])
|
|
|
|
--
|
|
cgit v0.9.0.2
|