diff --git a/libarchive/0001-libarchive-Handle-a-calloc-returning-NULL-fixes-1754.patch b/libarchive/0001-libarchive-Handle-a-calloc-returning-NULL-fixes-1754.patch new file mode 100644 index 0000000..42adecb --- /dev/null +++ b/libarchive/0001-libarchive-Handle-a-calloc-returning-NULL-fixes-1754.patch @@ -0,0 +1,35 @@ +From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001 +From: obiwac +Date: Fri, 22 Jul 2022 22:41:10 +0200 +Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754) + +--- + libarchive/archive_write.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c +index 66592e82..27626b54 100644 +--- a/libarchive/archive_write.c ++++ b/libarchive/archive_write.c +@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a) + struct archive_write_filter *f; + + f = calloc(1, sizeof(*f)); ++ ++ if (f == NULL) ++ return (NULL); ++ + f->archive = _a; + f->state = ARCHIVE_WRITE_FILTER_STATE_NEW; + if (a->filter_first == NULL) +@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data, + a->client_data = client_data; + + client_filter = __archive_write_allocate_filter(_a); ++ ++ if (client_filter == NULL) ++ return (ARCHIVE_FATAL); ++ + client_filter->open = archive_write_client_open; + client_filter->write = archive_write_client_write; + client_filter->close = archive_write_client_close; diff --git a/libarchive/0002-Validate-entry_bytes_remaining-in-pax_attribute.patch b/libarchive/0002-Validate-entry_bytes_remaining-in-pax_attribute.patch new file mode 100644 index 0000000..9414f9c --- /dev/null +++ b/libarchive/0002-Validate-entry_bytes_remaining-in-pax_attribute.patch @@ -0,0 +1,42 @@ +From fc8c6d2786ecba731d77d33fe3b034f581fcbde3 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Tue, 19 Jul 2022 13:02:40 -0400 +Subject: [PATCH] Validate entry_bytes_remaining in pax_attribute + +The `size` attribute may contain a negative or too large value. Check +the range of the `entry_bytes_remaining` in `pax_attribute` the same way +as `header_common`. The test which is added passes both with and without +this change in a normal debug build. It is necessary to run with +`-fsanitize=undefined` to see that the undefined behavior is avoided. + +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48467 +--- + libarchive/archive_read_support_format_tar.c | 15 ++++++ + 1 files changed, 15 insertions(+) + +diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c +index bfdad7f8..e31f1cc4 100644 +--- a/libarchive/archive_read_support_format_tar.c ++++ b/libarchive/archive_read_support_format_tar.c +@@ -2108,6 +2108,21 @@ pax_attribute(struct archive_read *a, struct tar *tar, + /* "size" is the size of the data in the entry. */ + tar->entry_bytes_remaining + = tar_atol10(value, strlen(value)); ++ if (tar->entry_bytes_remaining < 0) { ++ tar->entry_bytes_remaining = 0; ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_MISC, ++ "Tar size attribute is negative"); ++ return (ARCHIVE_FATAL); ++ } ++ if (tar->entry_bytes_remaining == INT64_MAX) { ++ /* Note: tar_atol returns INT64_MAX on overflow */ ++ tar->entry_bytes_remaining = 0; ++ archive_set_error(&a->archive, ++ ARCHIVE_ERRNO_MISC, ++ "Tar size attribute overflow"); ++ return (ARCHIVE_FATAL); ++ } + /* + * The "size" pax header keyword always overrides the + * "size" field in the tar header. diff --git a/libarchive/PKGBUILD-arch b/libarchive/PKGBUILD-arch index e0b6fe7..cfce66c 100644 --- a/libarchive/PKGBUILD-arch +++ b/libarchive/PKGBUILD-arch @@ -3,7 +3,7 @@ pkgname=libarchive pkgver=3.6.1 -pkgrel=1 +pkgrel=2 pkgdesc='Multi-format archive and compression library' arch=('x86_64') url='https://libarchive.org/' @@ -12,9 +12,20 @@ depends=('acl' 'libacl.so' 'bzip2' 'expat' 'lz4' 'openssl' 'xz' 'zlib' 'zstd') provides=('libarchive.so') options=('debug') validpgpkeys=('A5A45B12AD92D964B89EEE2DEC560C81CEC2276E') # Martin Matuska -source=("https://github.com/${pkgname}/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.xz"{,.asc}) +source=("https://github.com/${pkgname}/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.xz"{,.asc} + '0001-libarchive-Handle-a-calloc-returning-NULL-fixes-1754.patch' + '0002-Validate-entry_bytes_remaining-in-pax_attribute.patch') sha256sums=('5a411aceb978f43e626f0c2d1812ddd8807b645ed892453acabd532376c148e6' - 'SKIP') + 'SKIP' + 'bc52b2b2b99915894b436c97872d5d50e94c8c7483865a028fad9a710c837fa7' + '38c8d9b00f3259558e67e6fdf790ccbf8ecbba2de101476c2416d87b1679bcb9') + +prepare() { + cd "${pkgname}-${pkgver}" + + patch -Np1 < ../0001-libarchive-Handle-a-calloc-returning-NULL-fixes-1754.patch + patch -Np1 < ../0002-Validate-entry_bytes_remaining-in-pax_attribute.patch +} build() { cd "${pkgname}-${pkgver}"