--- cpio-2.11/src/copyin.c 2010-02-15 10:02:23.000000000 +0000 +++ cpio-2.11/src/copyin.c.new 2015-06-25 19:16:47.788864922 +0000 @@ -125,9 +125,29 @@ tape_skip_padding (int in_file_des, off_ tape_toss_input (in_file_des, pad); } - +static char * +get_link_name (struct cpio_file_stat *file_hdr, int in_file_des) +{ + char *link_name; + + if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1) + { + error (0, 0, _("%s: stored filename length is out of range"), + file_hdr->c_name); + link_name = NULL; + } + else + { + link_name = xmalloc (file_hdr->c_filesize + 1); + tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); + link_name[file_hdr->c_filesize] = '\0'; + tape_skip_padding (in_file_des, file_hdr->c_filesize); + } + return link_name; +} + static void -list_file(struct cpio_file_stat* file_hdr, int in_file_des) +list_file (struct cpio_file_stat* file_hdr, int in_file_des) { if (verbose_flag) { @@ -136,15 +156,12 @@ list_file(struct cpio_file_stat* file_hd { if (archive_format != arf_tar && archive_format != arf_ustar) { - char *link_name = NULL; /* Name of hard and symbolic links. */ - - link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); - link_name[file_hdr->c_filesize] = '\0'; - tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); - long_format (file_hdr, link_name); - free (link_name); - tape_skip_padding (in_file_des, file_hdr->c_filesize); - return; + char *link_name = get_link_name (file_hdr, in_file_des); + if (link_name) + { + long_format (file_hdr, link_name); + free (link_name); + } } else { @@ -650,10 +667,7 @@ copyin_link(struct cpio_file_stat *file_ if (archive_format != arf_tar && archive_format != arf_ustar) { - link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); - link_name[file_hdr->c_filesize] = '\0'; - tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize); - tape_skip_padding (in_file_des, file_hdr->c_filesize); + link_name = get_link_name (file_hdr, in_file_des); } else {