diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2021-04-28 19:46:47 +0200 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2021-04-29 16:03:19 +0200 |
commit | 2e48a12ab1e30d43498c2d53e878a11a1b5102d5 (patch) | |
tree | 8f65b3468bf8ef695693017acfe2fe7032d29f62 | |
parent | 9b1c91577aef7f2e72c3aa11a27749160bd278ff (diff) | |
download | klibc-2e48a12ab1e30d43498c2d53e878a11a1b5102d5.tar.gz |
[klibc] cpio: Fix possible crash on 64-bit systemsklibc-2.0.9
copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.
The previous commit made this impossible on 32-bit systems.
CVE-2021-31871
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | usr/utils/cpio.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c index ac481310bf982..9b0b6ae9877e9 100644 --- a/usr/utils/cpio.c +++ b/usr/utils/cpio.c @@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des) char *link_name = NULL; /* Name of hard and symbolic links. */ int res; /* Result of various function calls. */ - link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1); + link_name = (char *)xmalloc(file_hdr->c_filesize + 1); link_name[file_hdr->c_filesize] = '\0'; tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize); tape_skip_padding(in_file_des, file_hdr->c_filesize); |