Reject cpio symlinks that exceed 1MB

author Tim Kientzle <kientzle@acm.org>

Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)

committer Tim Kientzle <kientzle@acm.org>

Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)
author Tim Kientzle <kientzle@acm.org>
Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)
committer Tim Kientzle <kientzle@acm.org>
Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)
diff --git a/libarchive/archive_read_support_format_cpio.c b/libarchive/archive_read_support_format_cpio.c

index c2ca85bd3ad9990d126bab6d52a3168529686239..b09db0e9a59b2be4d04c8c318f45ca7d16963285 100644 (file)
--- a/libarchive/archive_read_support_format_cpio.c
+++ b/libarchive/archive_read_support_format_cpio.c
@@ -401,6 +401,11 @@ archive_read_format_cpio_read_header(struct archive_read *a,
  
         /* If this is a symlink, read the link contents. */
         if (archive_entry_filetype(entry) == AE_IFLNK) {
+               if (cpio->entry_bytes_remaining > 1024 * 1024) {
+                       archive_set_error(&a->archive, ENOMEM,
+                           "Rejecting malformed cpio archive: symlink contents exceed 1 megabyte");
+                       return (ARCHIVE_FATAL);
+               }
                 h = __archive_read_ahead(a,
                         (size_t)cpio->entry_bytes_remaining, NULL);
                 if (h == NULL)
author	Tim Kientzle <kientzle@acm.org>
	Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)
committer	Tim Kientzle <kientzle@acm.org>
	Sat, 14 May 2016 19:37:37 +0000 (12:37 -0700)