diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-09-05 10:12:29 +0200 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2016-11-02 10:41:53 +0200 |
commit | b1cb0cb18fc9b98b44f5f7381a2ab4558ae7c0cb (patch) | |
tree | 67ff4d93000427693077f4698e9859f7de149195 | |
parent | 8a755e2b2c3220c2da108ecb67b7a43c8d313855 (diff) | |
download | rpm-b1cb0cb18fc9b98b44f5f7381a2ab4558ae7c0cb.tar.gz |
Fix overflow in cpio filename by limiting the allowed length to 4kB
This could lead to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file.
Fixes: rhbz#1168715, CVE-2014-8118
(cherry picked from commit f255c6bdb27ad1512c043a64195410d46996395a)
-rw-r--r-- | lib/cpio.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/cpio.c b/lib/cpio.c index 253ff0fba..ce3d7709a 100644 --- a/lib/cpio.c +++ b/lib/cpio.c @@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx) GET_NUM_FIELD(hdr.filesize, fsize); GET_NUM_FIELD(hdr.namesize, nameSize); + if (nameSize <= 0 || nameSize > 4096) { + return RPMERR_BAD_HEADER; + } char name[nameSize + 1]; read = Fread(name, nameSize, 1, cpio->fd); |