From 7d55037f89ab630125c37e6fc571cf36bb0a94c3 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Thu, 10 Nov 2016 12:48:19 +0200 Subject: [PATCH 02/15] Fix out-of-bounds read * src/copyin.c (process_copy_in): Skip records with zero filename length. --- src/copyin.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/src/copyin.c b/src/copyin.c index cde911e..05279d2 100644 --- a/src/copyin.c +++ b/src/copyin.c @@ -1378,30 +1378,35 @@ process_copy_in () } #endif - /* Is this the header for the TRAILER file? */ - if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0) + if (file_hdr.c_namesize == 0) + skip_file = true; + else { - done = true; - break; - } + /* Is this the header for the TRAILER file? */ + if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0) + { + done = true; + break; + } - cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, - false); + cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, + false); - /* Does the file name match one of the given patterns? */ - if (num_patterns <= 0) - skip_file = false; - else - { - skip_file = copy_matching_files; - for (i = 0; i < num_patterns - && skip_file == copy_matching_files; i++) + /* Does the file name match one of the given patterns? */ + if (num_patterns <= 0) + skip_file = false; + else { - if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0) - skip_file = !copy_matching_files; + skip_file = copy_matching_files; + for (i = 0; i < num_patterns + && skip_file == copy_matching_files; i++) + { + if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0) + skip_file = !copy_matching_files; + } } } - + if (skip_file) { /* If we're skipping a file with links, there might be other -- 1.8.3.1