Don't crash on truncated tar archives #2364
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The tar header parsing overhaul in libarchive#2127 introduced a systematic mishandling of truncated files: the code incorrectly checks for whether a given read operation failed, and ends up dereferencing a NULL pointer in this case. I've gone back and double-checked how `__archive_read_ahead` actually works (it returns NULL precisely when it was unable to satisfy the read request) and reworked the error handling for each call to this function in archive_read_support_format_tar.c Resolves libarchive#2353 Resolves https://issues.oss-fuzz.com/issues/42537231
kientzle
commented
Oct 6, 2024
| @@ -631,8 +631,6 @@ archive_read_format_tar_read_data(struct archive_read *a, | |||
| } | |||
|
|
|||
| *buff = __archive_read_ahead(a, 1, &bytes_read); | |||
| if (bytes_read < 0) | |||
There was a problem hiding this comment.
Whenever __archive_read_ahead puts an error value into bytes_read it also returns NULL, so the bytes_read < 0 checks throughout are redundant and have been removed.
kientzle
commented
Oct 6, 2024
| @@ -763,7 +759,7 @@ tar_read_header(struct archive_read *a, struct tar *tar, | |||
| return (ARCHIVE_EOF); | |||
| } | |||
| } | |||
| if (bytes < 512) { /* Short block at EOF; this is bad. */ | |||
| if (h == NULL) { /* Short block at EOF; this is bad. */ | |||
There was a problem hiding this comment.
This change has no effect but makes this part more consistent with the pattern now used throughout this source file.
kientzle
commented
Oct 6, 2024
| @@ -1630,6 +1626,9 @@ read_mac_metadata_blob(struct archive_read *a, | |||
| tar_flush_unconsumed(a, unconsumed); | |||
| data = __archive_read_ahead(a, msize, NULL); | |||
| if (data == NULL) { | |||
| archive_set_error(&a->archive, EINVAL, | |||
There was a problem hiding this comment.
I've added appropriate error messages for every failed read.
kientzle
commented
Oct 6, 2024
| err = ARCHIVE_WARN; | ||
| } | ||
| } else { | ||
| if (p == NULL) { |
There was a problem hiding this comment.
I've swapped this and a few other instances around so that we consistently check for p == NULL as the first thing after __archive_read_ahead.
kientzle
commented
Oct 6, 2024
| @@ -3395,7 +3405,7 @@ readline(struct archive_read *a, struct tar *tar, const char **start, | |||
| tar_flush_unconsumed(a, unconsumed); | |||
|
|
|||
| t = __archive_read_ahead(a, 1, &bytes_read); | |||
| if (bytes_read <= 0) | |||
| if (bytes_read <= 0 || t == NULL) | |||
There was a problem hiding this comment.
The bytes_read <= 0 clause here is technically redundant, but I've left it for now since it does no harm.
|
CC: @88Sanghy88 |
mmatuska
approved these changes
Oct 11, 2024
mmatuska
pushed a commit
that referenced
this pull request
Oct 12, 2024
The tar header parsing overhaul in #2127 introduced a systematic mishandling of truncated files: the code incorrectly checks for whether a given read operation failed, and ends up dereferencing a NULL pointer in this case. I've gone back and double-checked how `__archive_read_ahead` actually works (it returns NULL precisely when it was unable to satisfy the read request) and reworked the error handling for each call to this function in archive_read_support_format_tar.c Resolves #2353 Resolves https://issues.oss-fuzz.com/issues/42537231 (cherry picked from commit 565b5ae)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The tar header parsing overhaul in #2127 introduced a systematic mishandling of truncated files: the code incorrectly checks for whether a given read operation failed, and ends up dereferencing a NULL pointer in this case. I've gone back and double-checked how
__archive_read_aheadactually works (it returns NULL precisely when it was unable to satisfy the read request) and reworked the error handling for each call to this function in archive_read_support_format_tar.cResolves #2353
Resolves https://issues.oss-fuzz.com/issues/42537231