[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] Segfault when updating newc archives
|
From: |
Burton, Ross |
|
Subject: |
Re: [Bug-cpio] Segfault when updating newc archives |
|
Date: |
Wed, 28 Nov 2018 16:49:40 +0000 |
On Wed, 28 Nov 2018 at 14:32, Burton, Ross <address@hidden> wrote:
> https://gitlab.com/rossburton/cpio/commit/37b78fba8044411349ae791bcee98f55d4c0e442
> is an addition to the test suite which fails for me.
Consider a cpio with a single file in. I'm appending a second file to it.
First file runs through process_copy_in(), ends up in
cpio_set_c_name(). buflen == 0 so c_name is malloc()'d and buflen
assigned to at least 32.
Second file called "FOO" later runs through process_copy_out,
cpio_set_c_name doesn't malloc as buflen != 0, doesn't realloc as
buflen > len(FOO). file_hdr->c_name remains unset, and is then the
target for a memmove. Segfault.
This cpio_set_c_name looks like it was attempting to use a single
buffer, but when appending an existing archive both process_copy_in
and process_copy_out have a file_hdr on the stack.
The ross branch at https://gitlab.com/rossburton/cpio/ has two hacks:
one to force the file_hdr to be zero'd in process_copy_out and another
to malloc if the c_name isn't set. They fix the problem for me but I
suspect a better solution would involve a bit more refactoring.
Ross