When starting cpio with arguments "-tC3000000000000" we fall into
"Illegal instruction" or "memory exhausted". This happens because
of poor check in parse_opt() function if case 'C'. Here io_block_size
is set with untrusted data. Then we call initialize_buffers(),
where xmalloc(2*io_block_size) called, and 2*io_block_size<0.
This check must be done in the same way as in case BLOCK_SIZE_OPTION.
This patch adds necessary check during option parsing.
Fixes: a829388 ("Added support for --to-stdout and --warning options")wq
Signed-off-by: Artem Nasonov <[email protected]>
v2: remove wrong changes that were included in v1
---
src/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main.c b/src/main.c
index 47d868d..f007caf 100644
--- a/src/main.c
+++ b/src/main.c
@@ -339,7 +339,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
case 'C': /* Block size. */
io_block_size = atoi (arg);
- if (io_block_size < 1)
+ if (io_block_size < 1 || io_block_size > INT_MAX/2)
USAGE_ERROR ((0, 0, _("invalid block size")));
break;
--
2.39.5
