cpio: Fix memory overrun on reading improperly created link records Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d * src/copyin.c (get_link_name): New function. (list_file, copyin_link): use get_link_name * tests/symlink-bad-length.at: New file. * tests/symlink-long.at: New file. * tests/Makefile.am: Add new files. * tests/testsuite.at: Likewise. See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html Upstream-Status: Backport Signed-off-by: Sergey Poznyakoff <gray@gnu.org.ua> diff -Nurp cpio-2.8.orig/src/copyin.c cpio-2.8/src/copyin.c --- cpio-2.8.orig/src/copyin.c 2007-06-07 19:58:03.000000000 +0800 +++ cpio-2.8/src/copyin.c 2014-12-08 11:30:01.159791484 +0800 @@ -126,6 +126,28 @@ tape_skip_padding (int in_file_des, int } +static char * +get_link_name (struct cpio_file_stat *file_hdr, int in_file_des) +{ + off_t n = file_hdr->c_filesize + 1; + char *link_name; + + if (n == 0 || n > SIZE_MAX) + { + error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name); + link_name = NULL; + } + else + { + link_name = xmalloc (n); + tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); + link_name[file_hdr->c_filesize] = '\0'; + tape_skip_padding (in_file_des, file_hdr->c_filesize); + } + return link_name; +} + + static void list_file(struct cpio_file_stat* file_hdr, int in_file_des) { @@ -136,21 +158,16 @@ list_file(struct cpio_file_stat* file_hd { if (archive_format != arf_tar && archive_format != arf_ustar) { - char *link_name = NULL; /* Name of hard and symbolic links. */ - - link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); - link_name[file_hdr->c_filesize] = '\0'; - tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); - long_format (file_hdr, link_name); - free (link_name); - tape_skip_padding (in_file_des, file_hdr->c_filesize); - return; + char *link_name = get_link_name (file_hdr, in_file_des); + if (link_name) + { + long_format (file_hdr, link_name); + free (link_name); + } } else - { long_format (file_hdr, file_hdr->c_tar_linkname); - return; - } + return; } else #endif @@ -732,10 +749,7 @@ copyin_link(struct cpio_file_stat *file_ if (archive_format != arf_tar && archive_format != arf_ustar) { - link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); - link_name[file_hdr->c_filesize] = '\0'; - tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); - tape_skip_padding (in_file_des, file_hdr->c_filesize); + link_name = get_link_name (file_hdr, in_file_des); } else { diff -Nurp cpio-2.8.orig/tests/Makefile.am cpio-2.8/tests/Makefile.am paule/bracket-fixes paule/buildhistory-cmdline-memres paule/buildhistory-fix1 paule/buildhistory-fixes2 paule/buildhistory-sigs paule/buildhistory-single-commit paule/buildhistory-src-uri paule/ca-certificates-native paule/copyleft-agpl paule/core-fixes paule/correctness-fixes paule/create-pull-request paule/create-pull-request-cgit paule/ddimage-fixes2 paule/devtool-edit-recipe-selftest-fix paule/devtool-fetch-fix paule/devtool-fetch-fix-pyro paule/devtool-git-fix1 paule/devtool-localfiles paule/devtool-menuconfig paule/devtool-recipeutils-fixes paule/devtool-selftest-fix paule/devtool-singletask-lock-fix paule/devtool-tinfoil2-fix paule/devtool-update-recipe paule/devtool-upgrade-fixes paule/devtool-utf8 paule/devtool17-oe paule/devtool18 paule/devtool19-oe paule/devtool20-oe paule/devtool21-oe paule/devtool22-oe paule/devtool23-oe paule/devtool25 paule/devtool26 paule/devtool27 paule/devtool28-oe paule/devtool29-oe paule/devtool30-oe paule/devtool31-oe paule/devtool32-oe paule/devtool33-oe paule/devtool36-oe paule/devtool37-oe paule/diffsigs paule/diffsigs-fixes-oe paule/distrodata-selftest-fix paule/esdk-eclipse-fix paule/esdk-fixes3 paule/esdk-fixes4 paule/esdk-initramfs-fixes paule/esdk-require-uninative paule/esdk-runqemu-fixes paule/esdk-runqemu-path paule/esdk-selftest-fix paule/esdk-sigs-fix paule/externalsrc-cleandirs-fixes paule/externalsrc-configure paule/externalsrc-symlinks-fix paule/extsdk-path-fixes paule/extsdk-test-fix paule/extsdkfixes12-oe paule/extsdkfixes13-oe paule/fitimage paule/fixes paule/fixes1 paule/gcc-omp-fix-daisy paule/gcc-runtime paule/graph-tool paule/kernel-check paule/kernel-symlinks paule/krogoth-fixes-oe paule/libcap-ng-symlink-fix paule/libssp-sdk paule/libssp-sdk-morty paule/lic-sha256-drop paule/memres-init-param-order paule/nativesdk-qemu-helper paule/npm-fixes3 paule/npm-install-fix paule/oe-init-bitbake paule/oe-run-native-fixes paule/oe-selftest-devtool-fix paule/oe-selftest-mkelfimage paule/oetypes-fix paule/packagefeed-stability paule/patch-fixes paule/pyro-esdk-initramfs-fix-oe paule/recipetool-fetchuri paule/recipetool-fix2 paule/recipetool-fixes2-oe paule/recipetool-fixes3 paule/recipetool-fixes4 paule/recipetool-fixes5 paule/recipetool-fixes6 paule/recipetool-fixes7 paule/recipetool-fixes8 paule/recipetool-npm-fixes2 paule/retain paule/rootfs-log-check-oe paule/rpm4-remove paule/runqemu-fixes-oe paule/sdk-fixes paul