49a6d9c8ec
specially-crafted archive (#572149), realloc within check_exclusion_tags() caused invalid write(#570591)
60 lines
1.7 KiB
Diff
60 lines
1.7 KiB
Diff
From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
|
|
From: Sergey Poznyakoff <gray@gnu.org.ua>
|
|
Date: Mon, 8 Mar 2010 12:27:23 +0200
|
|
Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
|
|
Both bugs reported by Kamil Dudka.
|
|
|
|
* src/create.c (check_exclusion_tags): Do not keep
|
|
pointer to a location within tagname: it may change
|
|
after xrealloc. Use byte offset instead.
|
|
(dump_file0): Close fd before returning without
|
|
dumping the directory.
|
|
---
|
|
src/create.c | 12 +++++++-----
|
|
1 files changed, 7 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/create.c b/src/create.c
|
|
index 209e428..c69d340 100644
|
|
--- a/src/create.c
|
|
+++ b/src/create.c
|
|
@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
|
|
struct exclusion_tag *tag;
|
|
size_t dlen = strlen (dirname);
|
|
int addslash = dirname[dlen-1] != '/';
|
|
- char *nptr = NULL;
|
|
+ size_t noff = 0;
|
|
|
|
for (tag = exclusion_tags; tag; tag = tag->next)
|
|
{
|
|
@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
|
|
tagname = xrealloc (tagname, tagsize);
|
|
}
|
|
|
|
- if (!nptr)
|
|
+ if (noff == 0)
|
|
{
|
|
strcpy (tagname, dirname);
|
|
- nptr = tagname + dlen;
|
|
+ noff = dlen;
|
|
if (addslash)
|
|
- *nptr++ = '/';
|
|
+ tagname[noff++] = '/';
|
|
}
|
|
- strcpy (nptr, tag->name);
|
|
+ strcpy (tagname + noff, tag->name);
|
|
if (access (tagname, F_OK) == 0
|
|
&& (!tag->predicate || tag->predicate (tagname)))
|
|
{
|
|
@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
|
|
{
|
|
exclusion_tag_warning (st->orig_file_name, tag_file_name,
|
|
_("directory not dumped"));
|
|
+ if (fd >= 0)
|
|
+ close (fd);
|
|
return;
|
|
}
|
|
|
|
--
|
|
1.6.5
|
|
|