diff options
author | Sam Bingner <sam@bingner.com> | 2021-03-13 01:03:46 -1000 |
---|---|---|
committer | Sam Bingner <sam@bingner.com> | 2021-03-13 01:03:46 -1000 |
commit | 9d8383bdee9f1ddc5685c36678b1ca033cbea971 (patch) | |
tree | 5dcc8c91e9c0a1b85ef15654a1cf58e7869753c5 /apt-inst/deb/debfile.cc | |
parent | 11cd82291bb7a02cafbb271c8416f8b59e1f1413 (diff) | |
parent | 95e417cb069928dfdb5dfacb418f025d71f32c4d (diff) |
Merge remote-tracking branch 'upstream/1.8.2.z' into 1.8.2.z+ios1.8.2.z+ios
Diffstat (limited to 'apt-inst/deb/debfile.cc')
-rw-r--r-- | apt-inst/deb/debfile.cc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/apt-inst/deb/debfile.cc b/apt-inst/deb/debfile.cc index f8d752e7f..bef0cd0d8 100644 --- a/apt-inst/deb/debfile.cc +++ b/apt-inst/deb/debfile.cc @@ -184,11 +184,23 @@ bool debDebFile::ControlExtract::DoItem(Item &Itm,int &Fd) // --------------------------------------------------------------------- /* This sets up to extract the control block member file into a memory block of just the right size. All other files go into the bit bucket. */ + +// Upper size limit for control files. Two reasons for having a limit here: +// +// 1. We read those files into memory and want to avoid being killed by OOM +// +// 2. We allocate (Itm.Size+2)-large arrays, so this can overflow if Itm.Size +// becomes 2**64-2 or larger. This is obviously +// +// 64 MiB seems like a terribly large size that everyone should be happy with. +static const unsigned long long DEB_CONTROL_SIZE_LIMIT = 64 * 1024 * 1024; bool debDebFile::MemControlExtract::DoItem(Item &Itm,int &Fd) { // At the control file, allocate buffer memory. if (Member == Itm.Name) { + if (Itm.Size > DEB_CONTROL_SIZE_LIMIT) + return _error->Error("Control file too large: %llu > %llu bytes", Itm.Size, DEB_CONTROL_SIZE_LIMIT); delete [] Control; Control = new char[Itm.Size+2]; IsControl = true; @@ -237,6 +249,9 @@ bool debDebFile::MemControlExtract::Read(debDebFile &Deb) record. */ bool debDebFile::MemControlExtract::TakeControl(const void *Data,unsigned long long Size) { + if (Size > DEB_CONTROL_SIZE_LIMIT) + return _error->Error("Control file too large: %llu > %llu bytes", Size, DEB_CONTROL_SIZE_LIMIT); + delete [] Control; Control = new char[Size+2]; Length = Size; |