CVE-2020-27350: debfile: integer overflow: Limit control size to 64 MiB

Like the code in arfile.cc, MemControlExtract also has buffer overflows, in code allocating memory for parsing control files. Specify an upper limit of 64 MiB for control files to both protect against the Size overflowing (we allocate Size + 2 bytes), and protect a bit against control files consisting only of zeroes.
author: Julian Andres Klode <julian.klode@canonical.com> 2020-12-05 20:17:56 +0100
committer: Julian Andres Klode <julian.klode@canonical.com> 2020-12-07 12:29:57 +0100
commit: ed786183bfe9813cf9bc603de0a2beed3e0d0e31 (patch)
tree: e897b4823befdc6ddf3122a9709ec3209c60c7ee /test/integration/test-cve-2020-27350
parent: 29581d103fc85d988c1f8a9c995ef9a6bb600500 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/test/integration/test-cve-2020-27350 b/test/integration/test-cve-2020-27350
index 336dc5b7e..f4bb79bcb 100755
--- a/test/integration/test-cve-2020-27350
+++ b/test/integration/test-cve-2020-27350
@@ -17,3 +17,6 @@ testequal "E: Long name to large: 67108865 bytes > 1048576 bytes" runapt ${APTTE
 
 ${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 long-link long-link.deb
 testequal "E: Long name to large: 67108865 bytes > 1048576 bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control long-link.deb control
+
+${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 long-control long-control.deb
+testequal "E: Control file too large: 67108865 > 67108864 bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control long-control.deb control
author	Julian Andres Klode <julian.klode@canonical.com>	2020-12-05 20:17:56 +0100
committer	Julian Andres Klode <julian.klode@canonical.com>	2020-12-07 12:29:57 +0100
commit	ed786183bfe9813cf9bc603de0a2beed3e0d0e31 (patch)
tree	e897b4823befdc6ddf3122a9709ec3209c60c7ee /test/integration/test-cve-2020-27350
parent	29581d103fc85d988c1f8a9c995ef9a6bb600500 (diff)