From c6d289ab9e604369c25ed2c766842318f74e9256 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Thu, 3 Sep 2020 17:51:06 +0200 Subject: Fix integer bounds checking in GNU tar sparse format 1.0 parser - Make sure the file actually has that many records before trying to read one and fail if not. - Use the helper macros for size_t overflow checking instead of assuming size_t == uint64_t. - Impose a "reasonable" upper bound on the number of data segments and insist that there is at least one entry. Signed-off-by: David Oberhollenzer --- lib/tar/internal.h | 1 + lib/tar/read_sparse_map_new.c | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/tar/internal.h b/lib/tar/internal.h index 65e5d45..bea863d 100644 --- a/lib/tar/internal.h +++ b/lib/tar/internal.h @@ -42,6 +42,7 @@ enum { #define TAR_MAX_SYMLINK_LEN (65536) #define TAR_MAX_PATH_LEN (65536) #define TAR_MAX_PAX_LEN (65536) +#define TAR_MAX_SPARSE_ENT (65536) int read_octal(const char *str, int digits, sqfs_u64 *out); diff --git a/lib/tar/read_sparse_map_new.c b/lib/tar/read_sparse_map_new.c index 246f8a5..f4f0f92 100644 --- a/lib/tar/read_sparse_map_new.c +++ b/lib/tar/read_sparse_map_new.c @@ -15,9 +15,10 @@ static int decode(const char *str, size_t len, size_t *out) *out = 0; while (count < len && isdigit(*str)) { - if (*out > 0xFFFFFFFFFFFFFFFFUL / 10) + if (SZ_MUL_OV(*out, 10, out)) + return -1; + if (SZ_ADD_OV(*out, (*(str++) - '0'), out)) return -1; - *out = (*out) * 10 + (*(str++) - '0'); ++count; } @@ -34,6 +35,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out) char buffer[1024]; int diff, ret; + if (out->record_size < 512) + goto fail_format; + if (read_retry("reading GNU sparse map", fp, buffer, 512)) return NULL; @@ -43,6 +47,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out) out->record_size -= 512; + if (count == 0 || count > TAR_MAX_SPARSE_ENT) + goto fail_format; + for (i = 0; i < (count * 2); ++i) { ret = decode(buffer + diff, 512 - diff, &value); if (ret < 0) @@ -51,6 +58,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out) if (ret > 0) { diff += ret; } else { + if (out->record_size < 512) + goto fail_format; + if (read_retry("reading GNU sparse map", fp, buffer + 512, 512)) { return NULL; -- cgit v1.2.3