aboutsummaryrefslogtreecommitdiffstats
path: root/libarchive/archive_read_support_format_ar.c
diff options
context:
space:
mode:
authorMartin Matuska <mm@FreeBSD.org>2016-12-06 00:35:20 +0000
committerMartin Matuska <mm@FreeBSD.org>2016-12-06 00:35:20 +0000
commit36f3c6516a97ac526e7eb80728aa2af5b0d1f1df (patch)
tree978073472ac3f1d7e677247714828707eb839bcb /libarchive/archive_read_support_format_ar.c
parent640b179f4e7e86a0b71cd44a4423eabf356cde4c (diff)
downloadsrc-36f3c6516a97ac526e7eb80728aa2af5b0d1f1df.tar.gz
src-36f3c6516a97ac526e7eb80728aa2af5b0d1f1df.zip
Update vendor/libarchive to git ddb3954bfdb9a0a98d50fb1c50cbecb603d9adf0
Vendor bugfixes: libarchive #831: Spelling fixes libarchive #832: Relax sanity checks of number fields in tar header even more OSS-Fuzz #16: Fix possible hang in uudecode_filter_read() OSS-Fuzz #220: Reject an 'ar' filename table larger than 1GB or a filename larger than 1MB.
Notes
Notes: svn path=/vendor/libarchive/dist/; revision=309587
Diffstat (limited to 'libarchive/archive_read_support_format_ar.c')
-rw-r--r--libarchive/archive_read_support_format_ar.c17
1 files changed, 10 insertions, 7 deletions
diff --git a/libarchive/archive_read_support_format_ar.c b/libarchive/archive_read_support_format_ar.c
index 4b5b66bd50a6..c766cbaba7a8 100644
--- a/libarchive/archive_read_support_format_ar.c
+++ b/libarchive/archive_read_support_format_ar.c
@@ -260,7 +260,7 @@ _ar_read_header(struct archive_read *a, struct archive_entry *entry,
archive_entry_set_filetype(entry, AE_IFREG);
/* Get the size of the filename table. */
number = ar_atol10(h + AR_size_offset, AR_size_size);
- if (number > SIZE_MAX) {
+ if (number > SIZE_MAX || number > 1024 * 1024 * 1024) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
"Filename table too large");
return (ARCHIVE_FATAL);
@@ -342,16 +342,19 @@ _ar_read_header(struct archive_read *a, struct archive_entry *entry,
/* Parse the size of the name, adjust the file size. */
number = ar_atol10(h + AR_name_offset + 3, AR_name_size - 3);
- bsd_name_length = (size_t)number;
- /* Guard against the filename + trailing NUL
- * overflowing a size_t and against the filename size
- * being larger than the entire entry. */
- if (number > (uint64_t)(bsd_name_length + 1)
- || (int64_t)bsd_name_length > ar->entry_bytes_remaining) {
+ /* Sanity check the filename length:
+ * = Must be <= SIZE_MAX - 1
+ * = Must be <= 1MB
+ * = Cannot be bigger than the entire entry
+ */
+ if (number > SIZE_MAX - 1
+ || number > 1024 * 1024
+ || (int64_t)number > ar->entry_bytes_remaining) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
"Bad input file size");
return (ARCHIVE_FATAL);
}
+ bsd_name_length = (size_t)number;
ar->entry_bytes_remaining -= bsd_name_length;
/* Adjust file size reported to client. */
archive_entry_set_size(entry, ar->entry_bytes_remaining);