File CVE-2015-8933.patch of Package libarchive.2786

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-8933.patch of Package libarchive.2786

commit bf4f6ec64ef3edefbc41172692868fb8df514805
Author: Michihiro NAKAJIMA <ggcueroad@gmail.com>
Date:   Sat Jul 12 11:33:42 2014 +0900

Fix issue 356: properly skip a sparse file entry in a tar file.

Index: libarchive-3.1.2/libarchive/archive_read_support_format_tar.c
===================================================================
--- libarchive-3.1.2.orig/libarchive/archive_read_support_format_tar.c
+++ libarchive-3.1.2/libarchive/archive_read_support_format_tar.c
@@ -581,13 +581,27 @@ static int
 archive_read_format_tar_skip(struct archive_read *a)
 {
 	int64_t bytes_skipped;
+	int64_t request;
+	struct sparse_block *p;
 	struct tar* tar;
 
 	tar = (struct tar *)(a->format->data);
 
-	bytes_skipped = __archive_read_consume(a,
-	    tar->entry_bytes_remaining + tar->entry_padding + 
-	    tar->entry_bytes_unconsumed);
+	/* Do not consume the hole of a sparse file. */
+	request = 0;
+	for (p = tar->sparse_list; p != NULL; p = p->next) {
+		if (!p->hole) {
+			if (p->remaining >= INT64_MAX - request) {
+				return ARCHIVE_FATAL;
+			}
+			request += p->remaining;
+		}
+	}
+	if (request > tar->entry_bytes_remaining)
+	        request = tar->entry_bytes_remaining;
+	request += tar->entry_padding + tar->entry_bytes_unconsumed;
+
+	bytes_skipped = __archive_read_consume(a, request);
 	if (bytes_skipped < 0)
 		return (ARCHIVE_FATAL);
 
@@ -2075,6 +2089,10 @@ gnu_add_sparse_entry(struct archive_read
 	else
 		tar->sparse_list = p;
 	tar->sparse_last = p;
+	if (remaining < 0 || offset < 0) {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, "Malformed sparse map data");
+		return (ARCHIVE_FATAL);
+	}
 	p->offset = offset;
 	p->remaining = remaining;
 	return (ARCHIVE_OK);

Places

File CVE-2015-8933.patch of Package libarchive.2786

Places