diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-09-05 10:12:29 +0200 |
---|---|---|
committer | Florian Festi <ffesti@redhat.com> | 2016-09-05 10:12:29 +0200 |
commit | f255c6bdb27ad1512c043a64195410d46996395a (patch) | |
tree | f421d06ff4ded3b9b68f9eb9392312fb960f149c | |
parent | 394cbfb668655f7aa10ff6b178ec92b44a117ea6 (diff) | |
download | rpm-f255c6bdb27ad1512c043a64195410d46996395a.tar.gz |
Fix overflow in cpio filename by limiting the allowed length to 4kB
This could lead to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.
Fixes: rhbz#1168715, CVE-2014-8118
-rw-r--r-- | lib/cpio.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/cpio.c b/lib/cpio.c index 253ff0fba..ce3d7709a 100644 --- a/lib/cpio.c +++ b/lib/cpio.c @@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx) GET_NUM_FIELD(hdr.filesize, fsize); GET_NUM_FIELD(hdr.namesize, nameSize); + if (nameSize <= 0 || nameSize > 4096) { + return RPMERR_BAD_HEADER; + } char name[nameSize + 1]; read = Fread(name, nameSize, 1, cpio->fd); |