[klibc] cpio: Fix possible crash on 64-bit systems

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31871

copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.

The previous commit made this impossible on 32-bit systems.

CVE-2021-31871

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch

diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
index ac481310bf982fc5881aba55bafccea3ba194971..9b0b6ae9877e986c9f32c8d6c2b3a518c16de00d 100644 (file)
--- a/usr/utils/cpio.c
+++ b/usr/utils/cpio.c
@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
        char *link_name = NULL; /* Name of hard and symbolic links.  */
        int res;                /* Result of various function calls.  */
 
-       link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
+       link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
        link_name[file_hdr->c_filesize] = '\0';
        tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
        tape_skip_padding(in_file_des, file_hdr->c_filesize);