rpm/rpm-4.12.0.x-CVE-2014-8118.patch
Lubos Kardos 2474acb1d0 - Add check against malicious CPIO file name size
- Fixes CVE-2014-8118
- Resolves #1168715
- Fix race condidition where unchecked data is exposed in the file system
- Fixes CVE-2013-6435
- Resolves #1039811
2014-12-12 17:06:03 +01:00

15 lines
431 B
Diff

diff --git a/lib/cpio.c b/lib/cpio.c
index 253ff0f..600633a 100644
--- a/lib/cpio.c
+++ b/lib/cpio.c
@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
GET_NUM_FIELD(hdr.filesize, fsize);
GET_NUM_FIELD(hdr.namesize, nameSize);
+ if (nameSize <= 0 || nameSize > 4096) {
+ return RPMERR_BAD_HEADER;
+ }
char name[nameSize + 1];
read = Fread(name, nameSize, 1, cpio->fd);