Signature files larger than INT_MAX are already suspicious,
but if they are larger than SIZE_MAX, this code couldn't even
copy them into memory, accepting them as "blank" files at worst.
While adding the INT_MAX check, I also rearranged the code to
avoid a quite harmless TOCTOU race condition between
stat() and fopen().
Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
---
I don't know about any sane limitation of signature files, so I just
took INT_MAX. It's an implementation limit of pacman.
---
lib/libalpm/be_package.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c
index c9ed770..fc455e8 100644
--- a/lib/libalpm/be_package.c
+++ b/lib/libalpm/be_package.c
@@ -24,6 +24,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <limits.h>
/* libarchive */
#include <archive.h>
@@ -700,17 +701,17 @@ static int read_sigfile(const char *sigpath, unsigned
char **sig)
struct stat st;
FILE *fp;
- if(stat(sigpath, &st) != 0) {
+ if((fp = fopen(sigpath, "rb")) == NULL) {
return -1;
}
- MALLOC(*sig, st.st_size, return -1);
-
- if((fp = fopen(sigpath, "rb")) == NULL) {
- free(*sig);
+ if(fstat(fileno(fp), &st) != 0 || st.st_size > INT_MAX) {
+ fclose(fp);
return -1;
}
+ MALLOC(*sig, st.st_size, fclose(fp); return -1);
+
if(fread(*sig, st.st_size, 1, fp) != 1) {
free(*sig);
fclose(fp);
--
2.8.3
