tar/one-top-level-avoid-a-heap-buffer-overflow.patch

From b531801d6f49d64a126720e6004aae7c800764b2 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@fb.com>
Date: Sat, 7 Apr 2018 08:41:46 -0700
Subject: [PATCH 16/58] --one-top-level: avoid a heap-buffer-overflow

* NEWS: Mention this.
* src/suffix.c (strip_compression_suffix): Fix string comparison guard.
Without this change, some ASAN-enabled test runs would fail with the
following.  Also, strip an additional .tar suffix only if the just-
stripped suffix did not match /^\.t/".

==30815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002ed at pc 0x00000049d1f4 bp 0x7ffeb5906d50 sp 0x7ffeb5906500
READ of size 1 at 0x6020000002ed thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x49d1f3 in __interceptor_strncmp /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407
    #1 0x5670f3 in strip_compression_suffix /j/tar/src/suffix.c:107
    #2 0x575788 in decode_options /j/tar/src/tar.c:2545
    #3 0x5760c0 in main /j/tar/src/tar.c:2708
    #4 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
    #5 0x408629 in _start (/j/tar/src/tar+0x408629)

0x6020000002ed is located 3 bytes to the left of 6-byte region [0x6020000002f0,0x6020000002f6)
allocated by thread T0 here:
    #0 0x4d0710 in __interceptor_malloc /j/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x4908ad in __interceptor_strndup /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:326
    #2 0x5cbcbd in xstrndup /j/tar/gnu/xstrndup.c:32
    #3 0x5a325b in base_name /j/tar/gnu/basename.c:57
    #4 0x575772 in decode_options /j/tar/src/tar.c:2544
    #5 0x5760c0 in main /j/tar/src/tar.c:2708
    #6 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
---
 NEWS         |  7 +++++--
 src/suffix.c | 11 +++++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/suffix.c b/src/suffix.c
index 66b5694..d787ea8 100644
--- a/src/suffix.c
+++ b/src/suffix.c
@@ -62,7 +62,7 @@ find_compression_suffix (const char *name, size_t *ret_len)
     {
       size_t len;
       struct compression_suffix *p;
-      
+
       suf++;
       len = strlen (suf);
 
@@ -101,10 +101,14 @@ strip_compression_suffix (const char *name)
 {
   char *s = NULL;
   size_t len;
+  struct compression_suffix const *p = find_compression_suffix (name, &len);
 
-  if (find_compression_suffix (name, &len))
+  if (p)
     {
-      if (strncmp (name + len - 4, ".tar", 4) == 0)
+      /* Strip an additional ".tar" suffix, but only if the just-stripped
+	 "outer" suffix did not begin with "t".  */
+      if (len > 4 && strncmp (name + len - 4, ".tar", 4) == 0
+	  && p->suffix[0] != 't')
 	len -= 4;
       if (len == 0)
 	return NULL;
@@ -114,4 +118,3 @@ strip_compression_suffix (const char *name)
     }
   return s;
 }
-  
-- 
2.19.1
Package init 2019-09-30 11:18:06 -04:00			`From b531801d6f49d64a126720e6004aae7c800764b2 Mon Sep 17 00:00:00 2001`
			`From: Jim Meyering <meyering@fb.com>`
			`Date: Sat, 7 Apr 2018 08:41:46 -0700`
			`Subject: [PATCH 16/58] --one-top-level: avoid a heap-buffer-overflow`

			`* NEWS: Mention this.`
			`* src/suffix.c (strip_compression_suffix): Fix string comparison guard.`
			`Without this change, some ASAN-enabled test runs would fail with the`
			`following. Also, strip an additional .tar suffix only if the just-`
			`stripped suffix did not match /^\.t/".`

			`==30815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002ed at pc 0x00000049d1f4 bp 0x7ffeb5906d50 sp 0x7ffeb5906500`
			`READ of size 1 at 0x6020000002ed thread T0`
			`SCARINESS: 12 (1-byte-read-heap-buffer-overflow)`
			`#0 0x49d1f3 in __interceptor_strncmp /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407`
			`#1 0x5670f3 in strip_compression_suffix /j/tar/src/suffix.c:107`
			`#2 0x575788 in decode_options /j/tar/src/tar.c:2545`
			`#3 0x5760c0 in main /j/tar/src/tar.c:2708`
			`#4 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308`
			`#5 0x408629 in _start (/j/tar/src/tar+0x408629)`

			`0x6020000002ed is located 3 bytes to the left of 6-byte region [0x6020000002f0,0x6020000002f6)`
			`allocated by thread T0 here:`
			`#0 0x4d0710 in __interceptor_malloc /j/gcc/libsanitizer/asan/asan_malloc_linux.cc:86`
			`#1 0x4908ad in __interceptor_strndup /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:326`
			`#2 0x5cbcbd in xstrndup /j/tar/gnu/xstrndup.c:32`
			`#3 0x5a325b in base_name /j/tar/gnu/basename.c:57`
			`#4 0x575772 in decode_options /j/tar/src/tar.c:2544`
			`#5 0x5760c0 in main /j/tar/src/tar.c:2708`
			`#6 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308`
			`---`
			`NEWS \| 7 +++++--`
			`src/suffix.c \| 11 +++++++----`
			`2 files changed, 12 insertions(+), 6 deletions(-)`

			`diff --git a/src/suffix.c b/src/suffix.c`
			`index 66b5694..d787ea8 100644`
			`--- a/src/suffix.c`
			`+++ b/src/suffix.c`
			`@@ -62,7 +62,7 @@ find_compression_suffix (const char name, size_t ret_len)`
			`{`
			`size_t len;`
			`struct compression_suffix *p;`
			`-`
			`+`
			`suf++;`
			`len = strlen (suf);`

			`@@ -101,10 +101,14 @@ strip_compression_suffix (const char *name)`
			`{`
			`char *s = NULL;`
			`size_t len;`
			`+ struct compression_suffix const *p = find_compression_suffix (name, &len);`

			`- if (find_compression_suffix (name, &len))`
			`+ if (p)`
			`{`
			`- if (strncmp (name + len - 4, ".tar", 4) == 0)`
			`+ /* Strip an additional ".tar" suffix, but only if the just-stripped`
			`+ "outer" suffix did not begin with "t". */`
			`+ if (len > 4 && strncmp (name + len - 4, ".tar", 4) == 0`
			`+ && p->suffix[0] != 't')`
			`len -= 4;`
			`if (len == 0)`
			`return NULL;`
			`@@ -114,4 +118,3 @@ strip_compression_suffix (const char *name)`
			`}`
			`return s;`
			`}`
			`-`
			`--`
			`2.19.1`