tar2qfile: Avoid integer overflow

If there were too many directories already sent, an integer overflow would occur, with undefined results. In practice the most likely result is a failure to realloc a stupendous amount of memory. (cherry picked from commit 5d62fab)
QubesOS · Nov 5, 2024 · a4a4b09 · a4a4b09
1 parent d49f251
commit a4a4b09
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/qubes-rpc/tar2qfile.c b/qubes-rpc/tar2qfile.c
@@ -37,6 +37,7 @@
  */
 
 #define _GNU_SOURCE /* For O_NOFOLLOW. */
+#include <limits.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/time.h>
@@ -750,7 +751,10 @@ ustar_rd (int fd, struct file_header * untrusted_hdr, char *buf, struct stat * s
 #ifdef DEBUG
 			fprintf(stderr,"Inserting %s into register\n",path);
 #endif
-			dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * (++n_dirs));
+			size_t new_alloc_size;
+			if (n_dirs >= INT_MAX || __builtin_mul_overflow(sizeof(char *), ++n_dirs, &new_alloc_size))
+				gui_fatal("Too many directories already sent");
+			dirs_headers_sent = realloc(dirs_headers_sent, new_alloc_size);
 			if (dirs_headers_sent == NULL)
 				return MEMORY_ALLOC_FAILED;
 			dirs_headers_sent[n_dirs-1] = malloc(sizeof (char) * (strlen(path)+1));