From 5fcd60e2641c9293c2783aad509baf217e77aa6f Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sat, 18 Jun 2016 18:41:07 +0200 Subject: Reject files larger than 16384 bytes in read_sigfile. If signature files are larger than SIZE_MAX, not enough memory could be allocated for this file. The script repo-add rejects files which are larger than 16384 bytes, therefore handle these as errors here, too. While at it, I also rearranged the code to avoid a quite harmless TOCTOU race condition between stat() and fopen(). Signed-off-by: Tobias Stoeckmann Signed-off-by: Allan McRae --- lib/libalpm/be_package.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'lib/libalpm') diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index a79c0c5b..430d2aeb 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -24,6 +24,7 @@ #include #include #include +#include /* libarchive */ #include @@ -695,22 +696,25 @@ error: return NULL; } +/* adopted limit from repo-add */ +#define MAX_SIGFILE_SIZE 16384 + static int read_sigfile(const char *sigpath, unsigned char **sig) { struct stat st; FILE *fp; - if(stat(sigpath, &st) != 0) { + if((fp = fopen(sigpath, "rb")) == NULL) { return -1; } - MALLOC(*sig, st.st_size, return -1); - - if((fp = fopen(sigpath, "rb")) == NULL) { - free(*sig); + if(fstat(fileno(fp), &st) != 0 || st.st_size > MAX_SIGFILE_SIZE) { + fclose(fp); return -1; } + MALLOC(*sig, st.st_size, fclose(fp); return -1); + if(fread(*sig, st.st_size, 1, fp) != 1) { free(*sig); fclose(fp); -- cgit v1.2.3-70-g09d2