From 0444f9dd52c2bc7bec315f6f1ecad76a30713fa0 Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Sat, 5 Dec 2020 20:17:56 +0100
Subject: CVE-2020-27350: debfile: integer overflow: Limit control size to 64
 MiB

Like the code in arfile.cc, MemControlExtract also has buffer
overflows, in code allocating memory for parsing control files.

Specify an upper limit of 64 MiB for control files to both protect
against the Size overflowing (we allocate Size + 2 bytes), and
protect a bit against control files consisting only of zeroes.
---
 apt-pkg/deb/debfile.cc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'apt-pkg')

diff --git a/apt-pkg/deb/debfile.cc b/apt-pkg/deb/debfile.cc
index f8d752e7f..bef0cd0d8 100644
--- a/apt-pkg/deb/debfile.cc
+++ b/apt-pkg/deb/debfile.cc
@@ -184,11 +184,23 @@ bool debDebFile::ControlExtract::DoItem(Item &Itm,int &Fd)
 // ---------------------------------------------------------------------
 /* This sets up to extract the control block member file into a memory 
    block of just the right size. All other files go into the bit bucket. */
+
+// Upper size limit for control files. Two reasons for having a limit here:
+//
+// 1. We read those files into memory and want to avoid being killed by OOM
+//
+// 2. We allocate (Itm.Size+2)-large arrays, so this can overflow if Itm.Size
+// becomes 2**64-2 or larger. This is obviously
+//
+// 64 MiB seems like a terribly large size that everyone should be happy with.
+static const unsigned long long DEB_CONTROL_SIZE_LIMIT = 64 * 1024 * 1024;
 bool debDebFile::MemControlExtract::DoItem(Item &Itm,int &Fd)
 {
    // At the control file, allocate buffer memory.
    if (Member == Itm.Name)
    {
+      if (Itm.Size > DEB_CONTROL_SIZE_LIMIT)
+	 return _error->Error("Control file too large: %llu > %llu bytes", Itm.Size, DEB_CONTROL_SIZE_LIMIT);
       delete [] Control;
       Control = new char[Itm.Size+2];
       IsControl = true;
@@ -237,6 +249,9 @@ bool debDebFile::MemControlExtract::Read(debDebFile &Deb)
    record. */
 bool debDebFile::MemControlExtract::TakeControl(const void *Data,unsigned long long Size)
 {
+   if (Size > DEB_CONTROL_SIZE_LIMIT)
+      return _error->Error("Control file too large: %llu > %llu bytes", Size, DEB_CONTROL_SIZE_LIMIT);
+
    delete [] Control;
    Control = new char[Size+2];
    Length = Size;
-- 
cgit v1.2.3