From owner-svn-src-vendor@freebsd.org  Fri Aug 26 22:02:38 2016
Return-Path: <owner-svn-src-vendor@freebsd.org>
Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9412B76D33;
 Fri, 26 Aug 2016 22:02:38 +0000 (UTC) (envelope-from mm@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BC476178;
 Fri, 26 Aug 2016 22:02:38 +0000 (UTC) (envelope-from mm@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7QM2ba9019320;
 Fri, 26 Aug 2016 22:02:37 GMT (envelope-from mm@FreeBSD.org)
Received: (from mm@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7QM2bvq019315;
 Fri, 26 Aug 2016 22:02:37 GMT (envelope-from mm@FreeBSD.org)
Message-Id: <201608262202.u7QM2bvq019315@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mm set sender to mm@FreeBSD.org
 using -f
From: Martin Matuska <mm@FreeBSD.org>
Date: Fri, 26 Aug 2016 22:02:37 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r304866 - in vendor/libarchive/dist: libarchive tar
X-SVN-Group: vendor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
 <svn-src-vendor.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-vendor>, 
 <mailto:svn-src-vendor-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-vendor/>
List-Post: <mailto:svn-src-vendor@freebsd.org>
List-Help: <mailto:svn-src-vendor-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-vendor>,
 <mailto:svn-src-vendor-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2016 22:02:39 -0000

Author: mm
Date: Fri Aug 26 22:02:37 2016
New Revision: 304866
URL: https://svnweb.freebsd.org/changeset/base/304866

Log:
  Update vendor/libarchive to git 299c6bf136b9bc328b498505f24f87e732b73ff6
  
  Vendor issues fixed:
  Issue #731: Reject tar entries >= INT64_MAX
  Issue #744 (part of Issue #743): Enforce sandbox with very long pathnames
  Issue #748: Zip decompression failure with highly-compressed data
  Issue #767: Buffer overflow printing a filename
  Issue #770: Be more careful about extra_length

Modified:
  vendor/libarchive/dist/libarchive/archive_read_support_format_tar.c
  vendor/libarchive/dist/libarchive/archive_read_support_format_zip.c
  vendor/libarchive/dist/libarchive/archive_write_disk_acl.c
  vendor/libarchive/dist/libarchive/archive_write_disk_posix.c
  vendor/libarchive/dist/tar/util.c

Modified: vendor/libarchive/dist/libarchive/archive_read_support_format_tar.c
==============================================================================
--- vendor/libarchive/dist/libarchive/archive_read_support_format_tar.c	Fri Aug 26 21:28:24 2016	(r304865)
+++ vendor/libarchive/dist/libarchive/archive_read_support_format_tar.c	Fri Aug 26 22:02:37 2016	(r304866)
@@ -1128,8 +1128,15 @@ header_common(struct archive_read *a, st
 	if (tar->entry_bytes_remaining < 0) {
 		tar->entry_bytes_remaining = 0;
 		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
-		    "Tar entry has negative size?");
-		err = ARCHIVE_WARN;
+		    "Tar entry has negative size");
+		return (ARCHIVE_FATAL);
+	}
+	if (tar->entry_bytes_remaining == INT64_MAX) {
+		/* Note: tar_atol returns INT64_MAX on overflow */
+		tar->entry_bytes_remaining = 0;
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+		    "Tar entry size overflow");
+		return (ARCHIVE_FATAL);
 	}
 	tar->realsize = tar->entry_bytes_remaining;
 	archive_entry_set_size(entry, tar->entry_bytes_remaining);

Modified: vendor/libarchive/dist/libarchive/archive_read_support_format_zip.c
==============================================================================
--- vendor/libarchive/dist/libarchive/archive_read_support_format_zip.c	Fri Aug 26 21:28:24 2016	(r304865)
+++ vendor/libarchive/dist/libarchive/archive_read_support_format_zip.c	Fri Aug 26 22:02:37 2016	(r304866)
@@ -418,18 +418,30 @@ zip_time(const char *p)
  *	id1+size1+data1 + id2+size2+data2 ...
  *  triplets.  id and size are 2 bytes each.
  */
-static void
-process_extra(const char *p, size_t extra_length, struct zip_entry* zip_entry)
+static int
+process_extra(struct archive_read *a, const char *p, size_t extra_length, struct zip_entry* zip_entry)
 {
 	unsigned offset = 0;
 
-	while (offset < extra_length - 4) {
+	if (extra_length == 0) {
+		return ARCHIVE_OK;
+	}
+
+	if (extra_length < 4) {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+		    "Too-small extra data: Need at least 4 bytes, but only found %d bytes", (int)extra_length);
+		return ARCHIVE_FAILED;
+	}
+	while (offset <= extra_length - 4) {
 		unsigned short headerid = archive_le16dec(p + offset);
 		unsigned short datasize = archive_le16dec(p + offset + 2);
 
 		offset += 4;
 		if (offset + datasize > extra_length) {
-			break;
+			archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+			    "Extra data overflow: Need %d bytes but only found %d bytes",
+			    (int)datasize, (int)(extra_length - offset));
+			return ARCHIVE_FAILED;
 		}
 #ifdef DEBUG
 		fprintf(stderr, "Header id 0x%04x, length %d\n",
@@ -715,13 +727,13 @@ process_extra(const char *p, size_t extr
 		}
 		offset += datasize;
 	}
-#ifdef DEBUG
-	if (offset != extra_length)
-	{
-		fprintf(stderr,
-		    "Extra data field contents do not match reported size!\n");
+	if (offset != extra_length) {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+		    "Malformed extra data: Consumed %d bytes of %d bytes",
+		    (int)offset, (int)extra_length);
+		return ARCHIVE_FAILED;
 	}
-#endif
+	return ARCHIVE_OK;
 }
 
 /*
@@ -840,7 +852,9 @@ zip_read_local_file_header(struct archiv
 		return (ARCHIVE_FATAL);
 	}
 
-	process_extra(h, extra_length, zip_entry);
+	if (ARCHIVE_OK != process_extra(a, h, extra_length, zip_entry)) {
+		return ARCHIVE_FATAL;
+	}
 	__archive_read_consume(a, extra_length);
 
 	/* Work around a bug in Info-Zip: When reading from a pipe, it
@@ -1293,7 +1307,7 @@ zip_read_data_deflate(struct archive_rea
 	    && bytes_avail > zip->entry_bytes_remaining) {
 		bytes_avail = (ssize_t)zip->entry_bytes_remaining;
 	}
-	if (bytes_avail <= 0) {
+	if (bytes_avail < 0) {
 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
 		    "Truncated ZIP file body");
 		return (ARCHIVE_FATAL);
@@ -2691,7 +2705,9 @@ slurp_central_directory(struct archive_r
 			    "Truncated ZIP file header");
 			return ARCHIVE_FATAL;
 		}
-		process_extra(p + filename_length, extra_length, zip_entry);
+		if (ARCHIVE_OK != process_extra(a, p + filename_length, extra_length, zip_entry)) {
+			return ARCHIVE_FATAL;
+		}
 
 		/*
 		 * Mac resource fork files are stored under the

Modified: vendor/libarchive/dist/libarchive/archive_write_disk_acl.c
==============================================================================
--- vendor/libarchive/dist/libarchive/archive_write_disk_acl.c	Fri Aug 26 21:28:24 2016	(r304865)
+++ vendor/libarchive/dist/libarchive/archive_write_disk_acl.c	Fri Aug 26 22:02:37 2016	(r304866)
@@ -138,6 +138,7 @@ set_acl(struct archive *a, int fd, const
 	acl_permset_t	 acl_permset;
 #ifdef ACL_TYPE_NFS4
 	acl_flagset_t	 acl_flagset;
+	int		 r;
 #endif
 	int		 ret;
 	int		 ae_type, ae_permset, ae_tag, ae_id;
@@ -145,7 +146,7 @@ set_acl(struct archive *a, int fd, const
 	gid_t		 ae_gid;
 	const char	*ae_name;
 	int		 entries;
-	int		 i, r;
+	int		 i;
 
 	ret = ARCHIVE_OK;
 	entries = archive_acl_reset(abstract_acl, ae_requested_type);

Modified: vendor/libarchive/dist/libarchive/archive_write_disk_posix.c
==============================================================================
--- vendor/libarchive/dist/libarchive/archive_write_disk_posix.c	Fri Aug 26 21:28:24 2016	(r304865)
+++ vendor/libarchive/dist/libarchive/archive_write_disk_posix.c	Fri Aug 26 22:02:37 2016	(r304866)
@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk
 		r = lstat(a->name, &st);
 		if (r != 0) {
 			/* We've hit a dir that doesn't exist; stop now. */
-			if (errno == ENOENT)
+			if (errno == ENOENT) {
 				break;
+			} else {
+				/* Note: This effectively disables deep directory
+				 * support when security checks are enabled.
+				 * Otherwise, very long pathnames that trigger
+				 * an error here could evade the sandbox.
+				 * TODO: We could do better, but it would probably
+				 * require merging the symlink checks with the
+				 * deep-directory editing. */
+				return (ARCHIVE_FAILED);
+			}
 		} else if (S_ISLNK(st.st_mode)) {
 			if (c == '\0') {
 				/*

Modified: vendor/libarchive/dist/tar/util.c
==============================================================================
--- vendor/libarchive/dist/tar/util.c	Fri Aug 26 21:28:24 2016	(r304865)
+++ vendor/libarchive/dist/tar/util.c	Fri Aug 26 22:02:37 2016	(r304866)
@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, .
 		}
 
 		/* If our output buffer is full, dump it and keep going. */
-		if (i > (sizeof(outbuff) - 20)) {
+		if (i > (sizeof(outbuff) - 128)) {
 			outbuff[i] = '\0';
 			fprintf(f, "%s", outbuff);
 			i = 0;