74 lines
2.7 KiB
Diff
74 lines
2.7 KiB
Diff
From b531801d6f49d64a126720e6004aae7c800764b2 Mon Sep 17 00:00:00 2001
|
|
From: Jim Meyering <meyering@fb.com>
|
|
Date: Sat, 7 Apr 2018 08:41:46 -0700
|
|
Subject: [PATCH 16/58] --one-top-level: avoid a heap-buffer-overflow
|
|
|
|
* NEWS: Mention this.
|
|
* src/suffix.c (strip_compression_suffix): Fix string comparison guard.
|
|
Without this change, some ASAN-enabled test runs would fail with the
|
|
following. Also, strip an additional .tar suffix only if the just-
|
|
stripped suffix did not match /^\.t/".
|
|
|
|
==30815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002ed at pc 0x00000049d1f4 bp 0x7ffeb5906d50 sp 0x7ffeb5906500
|
|
READ of size 1 at 0x6020000002ed thread T0
|
|
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
|
|
#0 0x49d1f3 in __interceptor_strncmp /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407
|
|
#1 0x5670f3 in strip_compression_suffix /j/tar/src/suffix.c:107
|
|
#2 0x575788 in decode_options /j/tar/src/tar.c:2545
|
|
#3 0x5760c0 in main /j/tar/src/tar.c:2708
|
|
#4 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
|
|
#5 0x408629 in _start (/j/tar/src/tar+0x408629)
|
|
|
|
0x6020000002ed is located 3 bytes to the left of 6-byte region [0x6020000002f0,0x6020000002f6)
|
|
allocated by thread T0 here:
|
|
#0 0x4d0710 in __interceptor_malloc /j/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
|
|
#1 0x4908ad in __interceptor_strndup /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:326
|
|
#2 0x5cbcbd in xstrndup /j/tar/gnu/xstrndup.c:32
|
|
#3 0x5a325b in base_name /j/tar/gnu/basename.c:57
|
|
#4 0x575772 in decode_options /j/tar/src/tar.c:2544
|
|
#5 0x5760c0 in main /j/tar/src/tar.c:2708
|
|
#6 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
|
|
---
|
|
NEWS | 7 +++++--
|
|
src/suffix.c | 11 +++++++----
|
|
2 files changed, 12 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/suffix.c b/src/suffix.c
|
|
index 66b5694..d787ea8 100644
|
|
--- a/src/suffix.c
|
|
+++ b/src/suffix.c
|
|
@@ -62,7 +62,7 @@ find_compression_suffix (const char *name, size_t *ret_len)
|
|
{
|
|
size_t len;
|
|
struct compression_suffix *p;
|
|
-
|
|
+
|
|
suf++;
|
|
len = strlen (suf);
|
|
|
|
@@ -101,10 +101,14 @@ strip_compression_suffix (const char *name)
|
|
{
|
|
char *s = NULL;
|
|
size_t len;
|
|
+ struct compression_suffix const *p = find_compression_suffix (name, &len);
|
|
|
|
- if (find_compression_suffix (name, &len))
|
|
+ if (p)
|
|
{
|
|
- if (strncmp (name + len - 4, ".tar", 4) == 0)
|
|
+ /* Strip an additional ".tar" suffix, but only if the just-stripped
|
|
+ "outer" suffix did not begin with "t". */
|
|
+ if (len > 4 && strncmp (name + len - 4, ".tar", 4) == 0
|
|
+ && p->suffix[0] != 't')
|
|
len -= 4;
|
|
if (len == 0)
|
|
return NULL;
|
|
@@ -114,4 +118,3 @@ strip_compression_suffix (const char *name)
|
|
}
|
|
return s;
|
|
}
|
|
-
|
|
--
|
|
2.19.1
|
|
|