Signature files larger than INT_MAX are already suspicious, but if they are larger than SIZE_MAX, this code couldn't even copy them into memory, accepting them as "blank" files at worst.
While adding the INT_MAX check, I also rearranged the code to avoid a quite harmless TOCTOU race condition between stat() and fopen(). Signed-off-by: Tobias Stoeckmann <[email protected]> --- lib/libalpm/be_package.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index c9ed770..055fb1e 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -700,17 +700,16 @@ static int read_sigfile(const char *sigpath, unsigned char **sig) struct stat st; FILE *fp; - if(stat(sigpath, &st) != 0) { + if((fp = fopen(sigpath, "rb")) == NULL) { return -1; } - MALLOC(*sig, st.st_size, return -1); - - if((fp = fopen(sigpath, "rb")) == NULL) { - free(*sig); + if(fstat(fileno(fp), &st) != 0 || st.st_size > INT_MAX) { return -1; } + MALLOC(*sig, st.st_size, return -1); + if(fread(*sig, st.st_size, 1, fp) != 1) { free(*sig); fclose(fp); -- 2.8.3
