diff -ru docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go --- docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go 2017-07-14 20:34:55.000000000 -0700 +++ docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go 2017-12-21 14:16:54.564751961 -0800 @@ -2,7 +2,6 @@ import ( "io" - "io/ioutil" "github.com/vbatts/tar-split/archive/tar" "github.com/vbatts/tar-split/tar/storage" @@ -119,20 +118,34 @@ } } - // it is allowable, and not uncommon that there is further padding on the - // end of an archive, apart from the expected 1024 null bytes. - remainder, err := ioutil.ReadAll(outputRdr) - if err != nil && err != io.EOF { - pW.CloseWithError(err) - return - } - _, err = p.AddEntry(storage.Entry{ - Type: storage.SegmentType, - Payload: remainder, - }) - if err != nil { - pW.CloseWithError(err) - return + // It is allowable, and not uncommon that there is further padding on + // the end of an archive, apart from the expected 1024 null bytes. We + // do this in chunks rather than in one go to avoid cases where a + // maliciously crafted tar file tries to trick us into reading many GBs + // into memory. + const paddingChunkSize = 1024 * 1024 + var paddingChunk [paddingChunkSize]byte + for { + var isEOF bool + n, err := outputRdr.Read(paddingChunk[:]) + if err != nil { + if err != io.EOF { + pW.CloseWithError(err) + return + } + isEOF = true + } + _, err = p.AddEntry(storage.Entry{ + Type: storage.SegmentType, + Payload: paddingChunk[:n], + }) + if err != nil { + pW.CloseWithError(err) + return + } + if isEOF { + break + } } pW.Close() }() diff -ru docker-ce/components/engine/vendor.conf docker-ce-modified/components/engine/vendor.conf --- docker-ce/components/engine/vendor.conf 2017-07-14 20:34:55.000000000 -0700 +++ docker-ce-modified/components/engine/vendor.conf 2017-12-21 14:18:20.250968883 -0800 @@ -50,7 +50,7 @@ # get graph and distribution packages github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 -github.com/vbatts/tar-split v0.10.1 +github.com/vbatts/tar-split v0.10.2 github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb # get go-zfs packages