1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From cb07844454d8cc9fb21f53ace75975f91185a120 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Mon, 14 Jan 2019 15:22:09 +0200
Subject: [PATCH] Fix possible NULL dereference (savannah bug #55369)
* src/sparse.c (pax_decode_header): Check return from find_next_block.
Upstream-Status: Backport
CVE: CVE-2019-9923
Affects: tar < 1.32
Signed-off-by: Armin kuster <akuster@mvista.com>
---
src/sparse.c | 4 ++++
1 file changed, 4 insertions(+)
Index: tar-1.30/src/sparse.c
===================================================================
--- tar-1.30.orig/src/sparse.c
+++ tar-1.30/src/sparse.c
@@ -1231,6 +1231,8 @@ pax_decode_header (struct tar_sparse_fil
set_next_block_after (b); \
file->dumped_size += BLOCKSIZE; \
b = find_next_block (); \
+ if (!b) \
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
src = b->buffer; \
endp = b->buffer + BLOCKSIZE; \
} \
@@ -1243,6 +1245,8 @@ pax_decode_header (struct tar_sparse_fil
set_next_block_after (current_header);
file->dumped_size += BLOCKSIZE;
blk = find_next_block ();
+ if (!blk)
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
p = blk->buffer;
COPY_BUF (blk,nbuf,p);
if (!decode_num (&u, nbuf, TYPE_MAXIMUM (size_t)))
|