Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 9 Oct 2013 22:43:47 -0700
From: Chris Palmer <>
Subject: Re: Integer overflow in libtar (<= 1.2.19)

On Wed, Oct 9, 2013 at 9:36 PM, Huzaifa Sidhpurwala <> wrote:


I haven't read all the ultimate callees, but it might be that some
internal/external APIs should change too. If these:

146 /* macros for reading/writing tarchive blocks */
147 #define tar_block_read(t, buf) \
148     (*((t)->type->readfunc))((t)->fd, (char *)(buf), T_BLOCKSIZE)
149 #define tar_block_write(t, buf) \
150     (*((t)->type->writefunc))((t)->fd, (char *)(buf), T_BLOCKSIZE)

boil down to functions that implement the same interface as read(2)
and write(2), and it sure seems like it, then the |int i| in this:

 th_read(TAR *t)
-       int i, j;
-       size_t sz;
+       int i;
+       size_t sz, j, blocks;
        char *ptr;

— and the callees, and their declared interfaces — should use ssize_t, not int.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ