diff options
| author | Martin Matuska <mm@FreeBSD.org> | 2016-12-06 00:35:20 +0000 |
|---|---|---|
| committer | Martin Matuska <mm@FreeBSD.org> | 2016-12-06 00:35:20 +0000 |
| commit | 36f3c6516a97ac526e7eb80728aa2af5b0d1f1df (patch) | |
| tree | 978073472ac3f1d7e677247714828707eb839bcb /libarchive/archive_read_support_format_ar.c | |
| parent | 640b179f4e7e86a0b71cd44a4423eabf356cde4c (diff) | |
| download | src-36f3c6516a97ac526e7eb80728aa2af5b0d1f1df.tar.gz src-36f3c6516a97ac526e7eb80728aa2af5b0d1f1df.zip | |
Update vendor/libarchive to git ddb3954bfdb9a0a98d50fb1c50cbecb603d9adf0
Vendor bugfixes:
libarchive #831:
Spelling fixes
libarchive #832:
Relax sanity checks of number fields in tar header even more
OSS-Fuzz #16:
Fix possible hang in uudecode_filter_read()
OSS-Fuzz #220:
Reject an 'ar' filename table larger than 1GB or a filename larger
than 1MB.
Notes
Notes:
svn path=/vendor/libarchive/dist/; revision=309587
Diffstat (limited to 'libarchive/archive_read_support_format_ar.c')
| -rw-r--r-- | libarchive/archive_read_support_format_ar.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/libarchive/archive_read_support_format_ar.c b/libarchive/archive_read_support_format_ar.c index 4b5b66bd50a6..c766cbaba7a8 100644 --- a/libarchive/archive_read_support_format_ar.c +++ b/libarchive/archive_read_support_format_ar.c @@ -260,7 +260,7 @@ _ar_read_header(struct archive_read *a, struct archive_entry *entry, archive_entry_set_filetype(entry, AE_IFREG); /* Get the size of the filename table. */ number = ar_atol10(h + AR_size_offset, AR_size_size); - if (number > SIZE_MAX) { + if (number > SIZE_MAX || number > 1024 * 1024 * 1024) { archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, "Filename table too large"); return (ARCHIVE_FATAL); @@ -342,16 +342,19 @@ _ar_read_header(struct archive_read *a, struct archive_entry *entry, /* Parse the size of the name, adjust the file size. */ number = ar_atol10(h + AR_name_offset + 3, AR_name_size - 3); - bsd_name_length = (size_t)number; - /* Guard against the filename + trailing NUL - * overflowing a size_t and against the filename size - * being larger than the entire entry. */ - if (number > (uint64_t)(bsd_name_length + 1) - || (int64_t)bsd_name_length > ar->entry_bytes_remaining) { + /* Sanity check the filename length: + * = Must be <= SIZE_MAX - 1 + * = Must be <= 1MB + * = Cannot be bigger than the entire entry + */ + if (number > SIZE_MAX - 1 + || number > 1024 * 1024 + || (int64_t)number > ar->entry_bytes_remaining) { archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, "Bad input file size"); return (ARCHIVE_FATAL); } + bsd_name_length = (size_t)number; ar->entry_bytes_remaining -= bsd_name_length; /* Adjust file size reported to client. */ archive_entry_set_size(entry, ar->entry_bytes_remaining); |