summaryrefslogtreecommitdiff
path: root/archival
diff options
context:
space:
mode:
authorDenys Vlasenko2017-07-20 20:21:50 +0200
committerDenys Vlasenko2017-07-20 20:21:50 +0200
commitad37abf4231275d0991d42f9003666f1efd4114b (patch)
tree895930c1e464d4ddf168a2b0e7676ed3805aa2a4 /archival
parent997ad2c64abbe931dffa3598b015c5de04e515cf (diff)
downloadbusybox-ad37abf4231275d0991d42f9003666f1efd4114b.zip
busybox-ad37abf4231275d0991d42f9003666f1efd4114b.tar.gz
unzip: sanitize filename length: malloc(1234mb) is not funny
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'archival')
-rw-r--r--archival/unzip.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/archival/unzip.c b/archival/unzip.c
index d5bca08..b618c36 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -318,6 +318,12 @@ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf)
};
#endif
+static void die_if_bad_fnamesize(unsigned sz)
+{
+ if (sz > 0xfff) /* more than 4k?! no funny business please */
+ bb_error_msg_and_die("bad archive");
+}
+
static void unzip_skip(off_t skip)
{
if (skip != 0)
@@ -340,8 +346,7 @@ static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
{
char *target;
- if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */
- bb_error_msg_and_die("bad archive");
+ die_if_bad_fnamesize(zip->fmt.ucmpsize);
if (zip->fmt.method == 0) {
/* Method 0 - stored (not compressed) */
@@ -784,6 +789,7 @@ int unzip_main(int argc, char **argv)
/* Read filename */
free(dst_fn);
+ die_if_bad_fnamesize(zip.fmt.filename_len);
dst_fn = xzalloc(zip.fmt.filename_len + 1);
xread(zip_fd, dst_fn, zip.fmt.filename_len);
/* Skip extra header bytes */