[arch-packages.git] / libarchive / repos / core-x86_64 / 0002-Validate-entry_bytes_remaining-in-pax_attribute.patch
| blob | 9414f9c59f837ce3e72216cabc852f7ed4a8f7d6 |
1 From fc8c6d2786ecba731d77d33fe3b034f581fcbde3 Mon Sep 17 00:00:00 2001
2 From: Ben Wagner <bungeman@chromium.org>
3 Date: Tue, 19 Jul 2022 13:02:40 -0400
4 Subject: [PATCH] Validate entry_bytes_remaining in pax_attribute
6 The `size` attribute may contain a negative or too large value. Check
7 the range of the `entry_bytes_remaining` in `pax_attribute` the same way
8 as `header_common`. The test which is added passes both with and without
9 this change in a normal debug build. It is necessary to run with
10 `-fsanitize=undefined` to see that the undefined behavior is avoided.
12 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48467
13 ---
14 libarchive/archive_read_support_format_tar.c | 15 ++++++
15 1 files changed, 15 insertions(+)
17 diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
18 index bfdad7f8..e31f1cc4 100644
19 --- a/libarchive/archive_read_support_format_tar.c
20 +++ b/libarchive/archive_read_support_format_tar.c
21 @@ -2108,6 +2108,21 @@ pax_attribute(struct archive_read *a, struct tar *tar,
22 /* "size" is the size of the data in the entry. */
23 tar->entry_bytes_remaining
24 = tar_atol10(value, strlen(value));
25 + if (tar->entry_bytes_remaining < 0) {
26 + tar->entry_bytes_remaining = 0;
27 + archive_set_error(&a->archive,
28 + ARCHIVE_ERRNO_MISC,
29 + "Tar size attribute is negative");
30 + return (ARCHIVE_FATAL);
31 + }
32 + if (tar->entry_bytes_remaining == INT64_MAX) {
33 + /* Note: tar_atol returns INT64_MAX on overflow */
34 + tar->entry_bytes_remaining = 0;
35 + archive_set_error(&a->archive,
36 + ARCHIVE_ERRNO_MISC,
37 + "Tar size attribute overflow");
38 + return (ARCHIVE_FATAL);
39 + }
40 /*
41 * The "size" pax header keyword always overrides the
42 * "size" field in the tar header.