commit 8d651f512bf5032e1255dd66750faff0152e2f84 (tree)
parent 3eacd1b2e56728a291b4e5dc443a56fa0b4cab14
Author: Igor Anić <igor.anic@gmail.com>
Date: Sat, 24 Feb 2024 16:22:54 +0100
std.tar fix assert exploited by fuzzing
Diffstat:
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/lib/std/tar.zig b/lib/std/tar.zig
@@ -376,7 +376,7 @@ fn Iterator(comptime ReaderType: type) type {
self.file.link_name = try attr.value(&self.link_name_buffer);
},
.size => {
- var buf: [64]u8 = undefined;
+ var buf: [pax_max_size_attr_len]u8 = undefined;
self.file.size = try std.fmt.parseInt(u64, try attr.value(&buf), 10);
},
}
@@ -430,6 +430,9 @@ const PaxAttributeKind = enum {
size,
};
+// maxInt(u64) has 20 chars, base 10 in practice we got 24 chars
+const pax_max_size_attr_len = 64;
+
fn PaxIterator(comptime ReaderType: type) type {
return struct {
size: usize, // cumulative size of all pax attributes
@@ -486,6 +489,9 @@ fn PaxIterator(comptime ReaderType: type) type {
try validateAttributeEnding(self.reader);
continue;
};
+ if (kind == .size and value_len > pax_max_size_attr_len) {
+ return error.PaxSizeAttrOverflow;
+ }
return Attribute{
.kind = kind,
.len = value_len,
diff --git a/lib/std/tar/test.zig b/lib/std/tar/test.zig
@@ -317,6 +317,10 @@ test "tar run Go test cases" {
.data = @embedFile("testdata/fuzz1.tar"),
.err = error.TarCorruptInput,
},
+ .{
+ .data = @embedFile("testdata/fuzz2.tar"),
+ .err = error.PaxSizeAttrOverflow,
+ },
};
for (cases) |case| {
diff --git a/lib/std/tar/testdata/fuzz2.tar b/lib/std/tar/testdata/fuzz2.tar
Binary files differ.
