[klibc] [klibc:master] cpio: Fix possible crash on 64-bit systems

[klibc-bot for Ben Hutchings]

Commit-ID:  2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Gitweb:     http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
Author:     Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Wed, 28 Apr 2021 19:46:47 +0200
Committer:  Ben Hutchings <ben at decadent.org.uk>
CommitDate: Thu, 29 Apr 2021 16:03:19 +0200

[klibc] cpio: Fix possible crash on 64-bit systems

copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
null pointer and a subsequent SIGSEGV.

The previous commit made this impossible on 32-bit systems.

CVE-2021-31871

Signed-off-by: Ben Hutchings <ben at decadent.org.uk>

---
 usr/utils/cpio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
index ac481310..9b0b6ae9 100644
--- a/usr/utils/cpio.c
+++ b/usr/utils/cpio.c
@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
 	char *link_name = NULL;	/* Name of hard and symbolic links.  */
 	int res;		/* Result of various function calls.  */
 
-	link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
+	link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
 	link_name[file_hdr->c_filesize] = '\0';
 	tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
 	tape_skip_padding(in_file_des, file_hdr->c_filesize);