File tar-heap_overflow_in_rtapelib.patch of Package tar

From 9bc39283e4cc6ab9e5913ccbf766998eab4ff093 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Mon, 01 Mar 2010 08:49:03 +0000
Subject: Bugfixes in rtapelib

* lib/rmt.h (rmtcreat): Use fcntl O_ macros insead of
their hardcoded values.
* lib/rtapelib.c (rmt_read__,rmt_ioctl__): Prevent
potential overflow.
---
diff --git a/lib/rmt.h b/lib/rmt.h
index 50f037c..2ce9dc5 100644
--- a/lib/rmt.h
+++ b/lib/rmt.h
@@ -61,7 +61,7 @@ extern bool force_local_option;
 
 #define rmtcreat(dev_name, mode, command) \
    (_remdev (dev_name) \
-    ? rmt_open__ (dev_name, 1 | O_CREAT, __REM_BIAS, command) \
+    ? rmt_open__ (dev_name, O_CREAT | O_WRONLY, __REM_BIAS, command) \
     : creat (dev_name, mode))
 
 #define rmtlstat(dev_name, muffer) \
diff --git a/lib/rtapelib.c b/lib/rtapelib.c
index 02ad1e7..cb645db 100644
--- a/lib/rtapelib.c
+++ b/lib/rtapelib.c
@@ -573,7 +573,8 @@ rmt_read__ (int handle, char *buffer, size_t length)
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
@@ -709,6 +710,12 @@ rmt_ioctl__ (int handle, int operation, char *argument)
 	    || (status = get_status (handle), status == -1))
 	  return -1;
 
+	if (status > sizeof (struct mtop))
+	  {
+	    errno = EOVERFLOW;
+	    return -1;
+	  }
+	
 	for (; status > 0; status -= counter, argument += counter)
 	  {
 	    counter = safe_read (READ_SIDE (handle), argument, status);
--
cgit v0.8.2.1