From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Mon, 8 Mar 2010 12:27:23 +0200 Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c Both bugs reported by Kamil Dudka. * src/create.c (check_exclusion_tags): Do not keep pointer to a location within tagname: it may change after xrealloc. Use byte offset instead. (dump_file0): Close fd before returning without dumping the directory. --- src/create.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/create.c b/src/create.c index 209e428..c69d340 100644 --- a/src/create.c +++ b/src/create.c @@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name) struct exclusion_tag *tag; size_t dlen = strlen (dirname); int addslash = dirname[dlen-1] != '/'; - char *nptr = NULL; + size_t noff = 0; for (tag = exclusion_tags; tag; tag = tag->next) { @@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name) tagname = xrealloc (tagname, tagsize); } - if (!nptr) + if (noff == 0) { strcpy (tagname, dirname); - nptr = tagname + dlen; + noff = dlen; if (addslash) - *nptr++ = '/'; + tagname[noff++] = '/'; } - strcpy (nptr, tag->name); + strcpy (tagname + noff, tag->name); if (access (tagname, F_OK) == 0 && (!tag->predicate || tag->predicate (tagname))) { @@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p, { exclusion_tag_warning (st->orig_file_name, tag_file_name, _("directory not dumped")); + if (fd >= 0) + close (fd); return; } -- 1.6.5