[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tar: memory corruption bug with TAR_OPTIONS and old-style option syntax
|
From: |
Jim Meyering |
|
Subject: |
tar: memory corruption bug with TAR_OPTIONS and old-style option syntax |
|
Date: |
Thu, 30 Jan 2003 16:12:30 +0100 |
Package: tar
Version: 1.13.25-5
Severity: minor
Tags: upstream patch
Hi Paul,
There is a bug in tar-1.13.25:
$ touch f; TAR_OPTIONS='--numeric-owner' /bin/tar cf a f
Segmentation fault
[Exit 139 (SIGSEGV)]
With GNU libc's malloc debugging enabled, you can get a little
more information from the command line:
$ touch f; MALLOC_CHECK_=1 TAR_OPTIONS='--numeric-owner' /bin/tar cf a f
malloc: using debugging hooks
malloc: top chunk is corrupt
Without the following fix, the loop in prepend_default_options
while ((*pp++ = *argv++))
continue;
may (depending on what argv looks like) clobber memory beyond the
end of the region PP is supposed to be accessing.
Here's a fix:
2003-01-30 Jim Meyering <address@hidden>
Avoid memory corruption when using TAR_OPTIONS along with options
specified using the old-style option syntax.
* src/tar.c (decode_options): Allocate space for, and copy, the
trailing NULL argv pointer, too. prepend_default_options relies on it.
* tests/options.sh: New file, to test for the above fix.
* tests/Makefile.am (TESTS): Add options.sh
diff -F '^[_a-zA-Z$]' -Npru tar-1.13.25-orig/src/tar.c tar-1.13.25/src/tar.c
--- tar-1.13.25-orig/src/tar.c 2001-09-21 02:11:27.000000000 +0200
+++ tar-1.13.25/src/tar.c 2003-01-30 14:57:33.000000000 +0100
@@ -534,7 +534,7 @@ decode_options (int argc, char **argv)
/* Allocate a new argument array, and copy program name in it. */
new_argc = argc - 1 + strlen (argv[1]);
- new_argv = xmalloc (new_argc * sizeof (char *));
+ new_argv = xmalloc ((new_argc + 1) * sizeof (char *));
in = argv;
out = new_argv;
*out++ = *in++;
@@ -559,7 +559,7 @@ decode_options (int argc, char **argv)
/* Copy all remaining options. */
- while (in < argv + argc)
+ while (in <= argv + argc)
*out++ = *in++;
/* Replace the old option list by the new one. */
diff -F '^[_a-zA-Z$]' -Npru tar-1.13.25-orig/tests/Makefile.am
tar-1.13.25/tests/Makefile.am
--- tar-1.13.25-orig/tests/Makefile.am 2001-09-23 08:49:45.000000000 +0200
+++ tar-1.13.25/tests/Makefile.am 2003-01-30 14:57:54.000000000 +0100
@@ -27,7 +27,7 @@ TESTS = version.sh \
append.sh delete01.sh delete02.sh delete03.sh \
extrac01.sh extrac02.sh extrac03.sh extrac04.sh \
gzip.sh incremen.sh ignfail.sh \
- old.sh volume.sh
+ old.sh options.sh volume.sh
genfile_SOURCES = genfile.c
EXTRA_DIST = after before preset.in $(TESTS)
diff -F '^[_a-zA-Z$]' -Npru tar-1.13.25-orig/tests/options.sh
tar-1.13.25/tests/options.sh
--- tar-1.13.25-orig/tests/options.sh 1970-01-01 01:00:00.000000000 +0100
+++ tar-1.13.25/tests/options.sh 2003-01-30 14:59:38.000000000 +0100
@@ -0,0 +1,16 @@
+#! /bin/sh
+# Ensure that TAR_OPTIONS works in conjunction with old-style options.
+
+. ./preset
+. $srcdir/before
+
+set -e
+echo > file1
+TAR_OPTIONS=--numeric-owner tar chof archive file1
+tar tf archive
+
+out="\
+file1
+"
+
+. $srcdir/after
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux xx 2.4.19 #1 SMP Sun Oct 13 22:03:45 CEST 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages tar depends on:
ii libc6 2.3.1-10 GNU C Library: Shared libraries an
-- no debconf information
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- tar: memory corruption bug with TAR_OPTIONS and old-style option syntax,
Jim Meyering <=