File tar-CVE-2021-20193.patch of Package tar.18755
From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Sun, 17 Jan 2021 20:41:11 +0200
Subject: Fix memory leak in read_header
Bug reported in https://savannah.gnu.org/bugs/?59897
* src/list.c (read_header): Don't return directly from the loop.
Instead set the status and break. Return the status. Free
next_long_name and next_long_link before returning.
---
src/list.c | 40 ++++++++++++++++++++++++++++------------
1 file changed, 28 insertions(+), 12 deletions(-)
Index: tar-1.30/src/list.c
===================================================================
--- tar-1.30.orig/src/list.c 2021-03-15 13:45:16.136886071 +0100
+++ tar-1.30/src/list.c 2021-03-15 13:45:16.180886321 +0100
@@ -420,26 +420,27 @@ read_header (union block **return_block,
enum read_header_mode mode)
{
union block *header;
- union block *header_copy;
char *bp;
union block *data_block;
size_t size, written;
- union block *next_long_name = 0;
- union block *next_long_link = 0;
+ union block *next_long_name = NULL;
+ union block *next_long_link = NULL;
size_t next_long_name_blocks = 0;
size_t next_long_link_blocks = 0;
-
+ enum read_header status = HEADER_SUCCESS;
+
while (1)
{
- enum read_header status;
-
header = find_next_block ();
*return_block = header;
if (!header)
- return HEADER_END_OF_FILE;
+ {
+ status = HEADER_END_OF_FILE;
+ break;
+ }
if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
- return status;
+ break;
/* Good block. Decode file size and return. */
@@ -449,7 +450,10 @@ read_header (union block **return_block,
{
info->stat.st_size = OFF_FROM_HEADER (header->header.size);
if (info->stat.st_size < 0)
- return HEADER_FAILURE;
+ {
+ status = HEADER_FAILURE;
+ break;
+ }
}
if (header->header.typeflag == GNUTYPE_LONGNAME
@@ -459,10 +463,14 @@ read_header (union block **return_block,
|| header->header.typeflag == SOLARIS_XHDTYPE)
{
if (mode == read_header_x_raw)
- return HEADER_SUCCESS_EXTENDED;
+ {
+ status = HEADER_SUCCESS_EXTENDED;
+ break;
+ }
else if (header->header.typeflag == GNUTYPE_LONGNAME
|| header->header.typeflag == GNUTYPE_LONGLINK)
{
+ union block *header_copy;
size_t name_size = info->stat.st_size;
size_t n = name_size % BLOCKSIZE;
size = name_size + BLOCKSIZE;
@@ -529,7 +537,10 @@ read_header (union block **return_block,
xheader_decode_global (&xhdr);
xheader_destroy (&xhdr);
if (mode == read_header_x_global)
- return HEADER_SUCCESS_EXTENDED;
+ {
+ status = HEADER_SUCCESS_EXTENDED;
+ break;
+ }
}
/* Loop! */
@@ -548,6 +559,7 @@ read_header (union block **return_block,
name = next_long_name->buffer + BLOCKSIZE;
recent_long_name = next_long_name;
recent_long_name_blocks = next_long_name_blocks;
+ next_long_name = NULL;
}
else
{
@@ -579,6 +591,7 @@ read_header (union block **return_block,
name = next_long_link->buffer + BLOCKSIZE;
recent_long_link = next_long_link;
recent_long_link_blocks = next_long_link_blocks;
+ next_long_link = NULL;
}
else
{
@@ -590,9 +603,12 @@ read_header (union block **return_block,
}
assign_string (&info->link_name, name);
- return HEADER_SUCCESS;
+ break;
}
}
+ free (next_long_name);
+ free (next_long_link);
+ return status;
}
#define ISOCTAL(c) ((c)>='0'&&(c)<='7')