From 25aeb213e506f020af25648f78d93344627b32f2 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 28 Apr 2021 19:46:47 +0200
Subject: [PATCH] [klibc] cpio: Fix possible crash on 64-bit systems

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31871

copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.

The previous commit made this impossible on 32-bit systems.

CVE-2021-31871

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Gbp-Pq: Name 0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch
---
 usr/utils/cpio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
index ac48131..9b0b6ae 100644
--- a/usr/utils/cpio.c
+++ b/usr/utils/cpio.c
@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
 	char *link_name = NULL;	/* Name of hard and symbolic links.  */
 	int res;		/* Result of various function calls.  */
 
-	link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
+	link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
 	link_name[file_hdr->c_filesize] = '\0';
 	tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
 	tape_skip_padding(in_file_des, file_hdr->c_filesize);
-- 
2.30.2