jimzah/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src.git synced 2024-11-30 04:22:44 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

libarchive: merge security fix from vendor branch

Browse Source 
This commit fixes a couple of security vulnerabilities in the PAX writer:
1. Heap overflow in url_encode() in archive_write_set_format_pax.c
2. NULL dereference in archive_write_pax_header_xattrs()
3. Another NULL dereference in archive_write_pax_header_xattrs()
4. NULL dereference in archive_write_pax_header_xattr()

Security:	No known reference yet
Obtained from:	https://github.com/libarchive/libarchive/commit/1b4e0d0f9
MFC after:	3 days

(cherry picked from commit f10f65999f)
This commit is contained in:
Martin Matuska 2023-09-07 17:18:12 +02:00
parent e59d10aff6
commit 5ed7eb0d97
1 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
contrib/libarchive/libarchive/archive_write_set_format_pax.c
View File

@ -367,10 +367,12 @@ archive_write_pax_header_xattr(struct pax *pax, const char *encoded_name,
struct archive_string s; struct archive_string s;
char *encoded_value; char *encoded_value;
if (encoded_name == NULL)
return;
if (pax->flags & WRITE_LIBARCHIVE_XATTR) { if (pax->flags & WRITE_LIBARCHIVE_XATTR) {
encoded_value = base64_encode((const char *)value, value_len); encoded_value = base64_encode((const char *)value, value_len);
if (encoded_value != NULL) {
if (encoded_name != NULL && encoded_value != NULL) {
archive_string_init(&s); archive_string_init(&s);
archive_strcpy(&s, "LIBARCHIVE.xattr."); archive_strcpy(&s, "LIBARCHIVE.xattr.");
archive_strcat(&s, encoded_name); archive_strcat(&s, encoded_name);
@ -403,17 +405,22 @@ archive_write_pax_header_xattrs(struct archive_write *a,
archive_entry_xattr_next(entry, &name, &value, &size); archive_entry_xattr_next(entry, &name, &value, &size);
url_encoded_name = url_encode(name); url_encoded_name = url_encode(name);
if (url_encoded_name != NULL) { if (url_encoded_name == NULL)
goto malloc_error;
else {
/* Convert narrow-character to UTF-8. */ /* Convert narrow-character to UTF-8. */
r = archive_strcpy_l(&(pax->l_url_encoded_name), r = archive_strcpy_l(&(pax->l_url_encoded_name),
url_encoded_name, pax->sconv_utf8); url_encoded_name, pax->sconv_utf8);
free(url_encoded_name); /* Done with this. */ free(url_encoded_name); /* Done with this. */
if (r == 0) if (r == 0)
encoded_name = pax->l_url_encoded_name.s; encoded_name = pax->l_url_encoded_name.s;
else if (errno == ENOMEM) { else if (r == -1)
archive_set_error(&a->archive, ENOMEM, goto malloc_error;
"Can't allocate memory for Linkname"); else {
return (ARCHIVE_FATAL); archive_set_error(&a->archive,
ARCHIVE_ERRNO_MISC,
"Error encoding pax extended attribute");
return (ARCHIVE_FAILED);
} }
} }
@ -422,6 +429,9 @@ archive_write_pax_header_xattrs(struct archive_write *a,
} }
return (ARCHIVE_OK); return (ARCHIVE_OK);
malloc_error:
archive_set_error(&a->archive, ENOMEM, "Can't allocate memory");
return (ARCHIVE_FATAL);
} }
static int static int
@ -1904,14 +1914,19 @@ url_encode(const char *in)
{ {
const char *s; const char *s;
char *d; char *d;
int out_len = 0; size_t out_len = 0;
char *out; char *out;
for (s = in; *s != '\0'; s++) { for (s = in; *s != '\0'; s++) {
if (*s < 33 || *s > 126 || *s == '%' || *s == '=') if (*s < 33 || *s > 126 || *s == '%' || *s == '=') {
if (SIZE_MAX - out_len < 4)
return (NULL);
out_len += 3; out_len += 3;
else } else {
if (SIZE_MAX - out_len < 2)
return (NULL);
out_len++; out_len++;
}
} }
out = (char *)malloc(out_len + 1); out = (char *)malloc(out_len + 1);