wget: check chunk length for overflowing off_t

function old new delta retrieve_file_data 428 465 +37 wget_main 2386 2389 +3 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-04-08 18:06:24 +02:00 · 2018-04-08 18:06:24 +02:00 · 8e2174e9bd
commit 8e2174e9bd
parent 7bcde5f00d
1 changed files with 12 additions and 4 deletions
--- a/networking/wget.c
+++ b/networking/wget.c
@ -801,7 +801,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
 	if (ftpcmd("SIZE ", target->path, sfp) == 213) {
 		G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
 		if (G.content_len < 0 || errno) {
-			bb_error_msg_and_die("SIZE value is garbage");
+			bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
 		}
 		G.got_clen = 1;
 	}
@ -965,11 +965,19 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
 		if (!G.chunked)
 			break;

-		fgets_trim_sanitize(dfp, NULL); /* Eat empty line */
- get_clen:
+		/* Each chunk ends with "\r\n" - eat it */
 		fgets_trim_sanitize(dfp, NULL);
+ get_clen:
+		/* chunk size format is "HEXNUM[;name[=val]]\r\n" */
+		fgets_trim_sanitize(dfp, NULL);
+		errno = 0;
 		G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
-		/* FIXME: error check? */
+		/*
+		 * Had a bug with inputs like "ffffffff0001f400"
+		 * smashing the heap later. Ensure >= 0.
+		 */
+		if (G.content_len < 0 || errno)
+			bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
 		if (G.content_len == 0)
 			break; /* all done! */
 		G.got_clen = 1;