Merge pull request #2775 from AZero13/off-by-one

[tar] Bounds check newdir_len

(cherry picked from commit 26c769ecdc0b9f4dd8f2d6e24d17a975cb9c9a9b)

diff --git a/tar/util.c b/tar/util.c
index fc5e15cb039f202858007df304db90df9073f4dd..6e41e49de133361449aaa4d19f0c4fb9cec51ae0 100644 (file)
--- a/tar/util.c
+++ b/tar/util.c
@@ -314,7 +314,10 @@ set_chdir(struct bsdtar *bsdtar, const char *newdir)
                /* The -C /foo -C bar case; concatenate */
                char *old_pending = bsdtar->pending_chdir;
                size_t old_len = strlen(old_pending);
-        size_t new_len = old_len + strlen(newdir) + 2;
+               size_t newdir_len = strlen(newdir);
+               size_t new_len = old_len + newdir_len + 2;
+               if (old_len > SIZE_MAX - newdir_len - 2)
+                   lafe_errc(1, errno, "Path too long");
                bsdtar->pending_chdir = malloc(new_len);
                if (old_pending[old_len - 1] == '/')
                        old_pending[old_len - 1] = '\0';