From a4a4b097d036cf94c0424a10235639f2c8a64756 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 12 Jun 2024 09:23:26 -0400 Subject: [PATCH] tar2qfile: Avoid integer overflow If there were too many directories already sent, an integer overflow would occur, with undefined results. In practice the most likely result is a failure to realloc a stupendous amount of memory. (cherry picked from commit 5d62fab9f622645991a3ab07497f16e81caa30fe) --- qubes-rpc/tar2qfile.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/qubes-rpc/tar2qfile.c b/qubes-rpc/tar2qfile.c index e647a317..254a1d82 100644 --- a/qubes-rpc/tar2qfile.c +++ b/qubes-rpc/tar2qfile.c @@ -37,6 +37,7 @@ */ #define _GNU_SOURCE /* For O_NOFOLLOW. */ +#include #include #include #include @@ -750,7 +751,10 @@ ustar_rd (int fd, struct file_header * untrusted_hdr, char *buf, struct stat * s #ifdef DEBUG fprintf(stderr,"Inserting %s into register\n",path); #endif - dirs_headers_sent = realloc(dirs_headers_sent, sizeof (char*) * (++n_dirs)); + size_t new_alloc_size; + if (n_dirs >= INT_MAX || __builtin_mul_overflow(sizeof(char *), ++n_dirs, &new_alloc_size)) + gui_fatal("Too many directories already sent"); + dirs_headers_sent = realloc(dirs_headers_sent, new_alloc_size); if (dirs_headers_sent == NULL) return MEMORY_ALLOC_FAILED; dirs_headers_sent[n_dirs-1] = malloc(sizeof (char) * (strlen(path)+1));