[PATCH 3/4] tar: Fix incorrect size check
Ryan Mallon
rmallon at gmail.com
Sat Jan 11 06:49:47 UTC 2014
On 11/01/14 13:46, Denys Vlasenko wrote:
> On Fri, Jan 10, 2014 at 7:42 PM, Ryan Mallon <rmallon at gmail.com> wrote:
>>> +22 bytes on x86 :/
>>>
>>> How about this?
>>>
>>> p += len;
>>> sz -= len;
>>> - if ((int)sz < 0
>>> + if (
>>> + /** (int)sz < 0 - not good enough for huge malicious
>>> VALUE of 2^32-1 */
>>> + (int)(sz|len) < 0 /* this works */
>>> || len == 0
>>> || errno != EINVAL
>>> || *end != ' '
>>
>>
>> That doesn't work. Try:
>>
>> sz = 512
>> len = 0x7fffffff
>>
>> Will result in sz being set to 0x7ffffdff and passing the check.
>
> No, it won't:
>
> $ echo 'int main(){printf("%d\n", 512 - 0x7fffffff);}' | gcc -xc - && ./a.out
> <stdin>: In function ‘main’:
> <stdin>:1:12: warning: incompatible implicit declaration of built-in
> function ‘printf’ [enabled by default]
> -2147483135
>
> $ echo 'int main(){printf("%d\n", (512 - 0x7fffffff) | 0x7fffffff);}'
> | gcc -xc - && ./a.out
> <stdin>: In function ‘main’:
> <stdin>:1:12: warning: incompatible implicit declaration of built-in
> function ‘printf’ [enabled by default]
> -1
Oops, I got len and sz backwards when I was checking it :-/. Your version
is correct I think.
~Ryan
More information about the busybox
mailing list