The function process_pax_header() in get_header_tar.c incorrectly sanity checks the length of the record with:
(int)sz < 0 If the value of len is 0xffffffff - n, then sz will increase by n + 1 bypassing the check. The pointer p will also decrease by n + 1 allowing a series of NUL byte writes to arbitrary locations below the allocated buffer. Fix this by instead checking that len does not exceed size. Also do the sanity checks before modifying sz or p. Signed-off-by: Ryan Mallon <[email protected]> --- archival/libarchive/get_header_tar.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c index bc09756..5956d01 100644 --- a/archival/libarchive/get_header_tar.c +++ b/archival/libarchive/get_header_tar.c @@ -113,9 +113,7 @@ static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int g /* expect errno to be EINVAL, because the character * following the digits should be a space */ - p += len; - sz -= len; - if ((int)sz < 0 + if (len > sz || len == 0 || errno != EINVAL || *end != ' ' @@ -126,6 +124,10 @@ static void process_pax_hdr(archive_handle_t *archive_handle, unsigned sz, int g // archive_handle->offset - (sz + len)); break; } + + p += len; + sz -= len; + /* overwrite the terminating newline with NUL * (we do not bother to check that it *was* a newline) */ -- 1.7.1 _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
