Signature files larger than INT_MAX are already suspicious, but if they are larger than SIZE_MAX, this code couldn't even copy them into memory, accepting them as "blank" files at worst. While adding the INT_MAX check, I also rearranged the code to avoid a quite harmless TOCTOU race condition between stat() and fopen(). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> --- I don't know about any sane limitation of signature files, so I just took INT_MAX. It's an implementation limit of pacman. --- lib/libalpm/be_package.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index c9ed770..fc455e8 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -24,6 +24,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <limits.h> /* libarchive */ #include <archive.h> @@ -700,17 +701,17 @@ static int read_sigfile(const char *sigpath, unsigned char **sig) struct stat st; FILE *fp; - if(stat(sigpath, &st) != 0) { + if((fp = fopen(sigpath, "rb")) == NULL) { return -1; } - MALLOC(*sig, st.st_size, return -1); - - if((fp = fopen(sigpath, "rb")) == NULL) { - free(*sig); + if(fstat(fileno(fp), &st) != 0 || st.st_size > INT_MAX) { + fclose(fp); return -1; } + MALLOC(*sig, st.st_size, fclose(fp); return -1); + if(fread(*sig, st.st_size, 1, fp) != 1) { free(*sig); fclose(fp); -- 2.8.3