[klibc] cpio: Fix possible crash on 64-bit systemsklibc-2.0.9

copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes. If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a null pointer and a subsequent SIGSEGV. The previous commit made this impossible on 32-bit systems. CVE-2021-31871 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Ben Hutchings <ben@decadent.org.uk> 2021-04-28 19:46:47 +0200
committer: Ben Hutchings <ben@decadent.org.uk> 2021-04-29 16:03:19 +0200
commit: 2e48a12ab1e30d43498c2d53e878a11a1b5102d5 (patch)
tree: 8f65b3468bf8ef695693017acfe2fe7032d29f62
parent: 9b1c91577aef7f2e72c3aa11a27749160bd278ff (diff)
download: klibc-2.0.9.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
index ac481310bf982..9b0b6ae9877e9 100644
--- a/usr/utils/cpio.c
+++ b/usr/utils/cpio.c
@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
 	char *link_name = NULL;	/* Name of hard and symbolic links.  */
 	int res;		/* Result of various function calls.  */
 
-	link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
+	link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
 	link_name[file_hdr->c_filesize] = '\0';
 	tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
 	tape_skip_padding(in_file_des, file_hdr->c_filesize);
author	Ben Hutchings <ben@decadent.org.uk>	2021-04-28 19:46:47 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2021-04-29 16:03:19 +0200
commit	2e48a12ab1e30d43498c2d53e878a11a1b5102d5 (patch)
tree	8f65b3468bf8ef695693017acfe2fe7032d29f62
parent	9b1c91577aef7f2e72c3aa11a27749160bd278ff (diff)
download	klibc-2.0.9.tar.gz