Parsing of Content-Disposition relies on well formed headers. A malformed header such as: Content-Disposition=""; will result in a strnduppayload->content_disp_name, -1, ptr), which will copy memory until it hits a \0. Prevent this by only copying the value if it exists. Fixes FS#73704. Signed-off-by: Allan McRae --- lib/libalpm/dload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/libalpm/dload.c b/lib/libalpm/dload.c index a64f405f..7c27c3ea 100644 --- a/lib/libalpm/dload.c +++ b/lib/libalpm/dload.c @@ -295,8 +295,11 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u endptr--; } - STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, - RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + /* avoid information leakage with badly formed headers */ + if(endptr > fptr) { + STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1, + RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize)); + } } } -- 2.35.1