summaryrefslogtreecommitdiff
path: root/vendor/github.com/vbatts/tar-split/tar
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@gmail.com>2017-11-08 16:43:49 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2017-11-08 21:58:26 +0000
commit0a2cb93fc26c5fd2fc8c494945fd8664670aa552 (patch)
tree305b71361f2cf9a7aeb77465d6c5e0c97b33a6c2 /vendor/github.com/vbatts/tar-split/tar
parentb8dca1874dfec01b1782f1308f26b58f315424cd (diff)
downloadpodman-0a2cb93fc26c5fd2fc8c494945fd8664670aa552.tar.gz
podman-0a2cb93fc26c5fd2fc8c494945fd8664670aa552.tar.bz2
podman-0a2cb93fc26c5fd2fc8c494945fd8664670aa552.zip
Update tarsplit vendor to address CVE-2017-14992
Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #34 Approved by: rhatdan
Diffstat (limited to 'vendor/github.com/vbatts/tar-split/tar')
-rw-r--r--vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go43
1 files changed, 28 insertions, 15 deletions
diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
index 54ef23aed..009b3f5d8 100644
--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
@@ -2,7 +2,6 @@ package asm
import (
"io"
- "io/ioutil"
"github.com/vbatts/tar-split/archive/tar"
"github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
}
}
- // it is allowable, and not uncommon that there is further padding on the
- // end of an archive, apart from the expected 1024 null bytes.
- remainder, err := ioutil.ReadAll(outputRdr)
- if err != nil && err != io.EOF {
- pW.CloseWithError(err)
- return
- }
- _, err = p.AddEntry(storage.Entry{
- Type: storage.SegmentType,
- Payload: remainder,
- })
- if err != nil {
- pW.CloseWithError(err)
- return
+ // It is allowable, and not uncommon that there is further padding on
+ // the end of an archive, apart from the expected 1024 null bytes. We
+ // do this in chunks rather than in one go to avoid cases where a
+ // maliciously crafted tar file tries to trick us into reading many GBs
+ // into memory.
+ const paddingChunkSize = 1024 * 1024
+ var paddingChunk [paddingChunkSize]byte
+ for {
+ var isEOF bool
+ n, err := outputRdr.Read(paddingChunk[:])
+ if err != nil {
+ if err != io.EOF {
+ pW.CloseWithError(err)
+ return
+ }
+ isEOF = true
+ }
+ _, err = p.AddEntry(storage.Entry{
+ Type: storage.SegmentType,
+ Payload: paddingChunk[:n],
+ })
+ if err != nil {
+ pW.CloseWithError(err)
+ return
+ }
+ if isEOF {
+ break
+ }
}
pW.Close()
}()