changelog shortlog tags branches files raw gz bz2 help

Mercurial > hg > plan9front / changeset: tar: fix memory corruption in extract1 (thanks petter)

changeset 7425: 1d6a49358dd8
parent 7424: cd934c6c7513
child 7426: 513ef6e6c0c9
author: cinap_lenrek@felloff.net
date: Sat, 02 Nov 2019 14:17:34 +0100
files: sys/src/cmd/tar.c
description: tar: fix memory corruption in extract1 (thanks petter)

extract1() expects two extra bytes to be avilabe before
fname buffer so it can prepend ./ before the name. this
used to be the case with name(), but was violated when
long name support was added and getname() was used in
place of name() which did not reserve the 2 extra bytes.

this change reserves two extra bytes in the getname()'s
static buffer and also removes the extra copy as name()
already makes a copy.
     1.1--- a/sys/src/cmd/tar.c
     1.2+++ b/sys/src/cmd/tar.c
     1.3@@ -1138,7 +1138,7 @@ wrmeta(int fd, Hdr *hp, long mtime, int 
     1.4 
     1.5 /*
     1.6  * copy a file from the archive into the filesystem.
     1.7- * fname is result of name(), so has two extra bytes at beginning.
     1.8+ * fname is result of getname(), so has two extra bytes at beginning.
     1.9  */
    1.10 static void
    1.11 extract1(int ar, Hdr *hp, char *fname)
    1.12@@ -1214,7 +1214,7 @@ skip(int ar, Hdr *hp, char *fname)
    1.13 static char*
    1.14 getname(int ar, Hdr *hp)
    1.15 {
    1.16-	static char namebuf[Maxlongname+1], *nextname = nil;
    1.17+	static char buf[2+Maxlongname+1], *namebuf = buf+2, *nextname = nil;
    1.18 	ulong blksleft, blksread;
    1.19 	char *fname, *p;
    1.20 	int n;
    1.21@@ -1243,10 +1243,6 @@ getname(int ar, Hdr *hp)
    1.22 		*p = '\0';
    1.23 		fname = nil;
    1.24 		nextname = namebuf;
    1.25-	} else {
    1.26-		namebuf[Maxlongname] = '\0';
    1.27-		strncpy(namebuf, fname, Maxlongname);
    1.28-		fname = namebuf;
    1.29 	}
    1.30 	return fname;
    1.31 }