diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2019-11-02 14:17:34 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2019-11-02 14:17:34 +0100 |
| commit | 37827f533bcfe73d8aff7088fbeee1eaa42e8094 (patch) | |
| tree | 0e396ecb1bf9500830a4849d102a8840eccdcde3 | |
| parent | 638f860791e267893799d9a78d151a2e934941f3 (diff) | |
tar: fix memory corruption in extract1 (thanks petter)
extract1() expects two extra bytes to be avilabe before
fname buffer so it can prepend ./ before the name. this
used to be the case with name(), but was violated when
long name support was added and getname() was used in
place of name() which did not reserve the 2 extra bytes.
this change reserves two extra bytes in the getname()'s
static buffer and also removes the extra copy as name()
already makes a copy.
| -rw-r--r-- | sys/src/cmd/tar.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/src/cmd/tar.c b/sys/src/cmd/tar.c index dc3d3536d..af2b5625a 100644 --- a/sys/src/cmd/tar.c +++ b/sys/src/cmd/tar.c @@ -1138,7 +1138,7 @@ wrmeta(int fd, Hdr *hp, long mtime, int mode) /* update metadata */ /* * copy a file from the archive into the filesystem. - * fname is result of name(), so has two extra bytes at beginning. + * fname is result of getname(), so has two extra bytes at beginning. */ static void extract1(int ar, Hdr *hp, char *fname) @@ -1214,7 +1214,7 @@ skip(int ar, Hdr *hp, char *fname) static char* getname(int ar, Hdr *hp) { - static char namebuf[Maxlongname+1], *nextname = nil; + static char buf[2+Maxlongname+1], *namebuf = buf+2, *nextname = nil; ulong blksleft, blksread; char *fname, *p; int n; @@ -1243,10 +1243,6 @@ getname(int ar, Hdr *hp) *p = '\0'; fname = nil; nextname = namebuf; - } else { - namebuf[Maxlongname] = '\0'; - strncpy(namebuf, fname, Maxlongname); - fname = namebuf; } return fname; } |