From: Zhang Xiaohui <ruc_zhangxiao...@163.com>
Hello~ I found there is a code fragment in pax_dump_header_1 in
src/sparce.c very similar to the vulnerable code in CVE-2019-9923.
So I think a check on the return value is needed after calling
find_next_block() to avoid possible NULL pointer dereference.
Looking forward to your reply!
Signed-off-by: Zhang Xiaohui <ruc_zhangxiao...@163.com>
---
src/sparse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sparse.c b/src/sparse.c
index cc3c515..009953c 100644
--- a/src/sparse.c
+++ b/src/sparse.c
@@ -1153,6 +1153,8 @@ pax_dump_header_1 (struct tar_sparse_file *file)
{ \
set_next_block_after (b); \
b = find_next_block (); \
+ if (!b) \
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
dst = b->buffer; \
endp = b->buffer + BLOCKSIZE; \
} \
@@ -1192,6 +1194,8 @@ pax_dump_header_1 (struct tar_sparse_file *file)
file->stat_info->file_name = save_file_name;
blk = find_next_block ();
+ if (!blk)
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
q = blk->buffer;
p = umaxtostr (file->stat_info->sparse_map_avail, nbuf);
COPY_STRING (blk, q, p);
--
2.17.1
