From: Jim Meyering <meyering@fb.com>
Date: Sat, 7 Apr 2018 15:41:46 +0000 (-0700)
Subject: --one-top-level: avoid a heap-buffer-overflow
X-Git-Tag: release_1_31~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b531801d6f49d64a126720e6004aae7c800764b2;p=thirdparty%2Ftar.git

--one-top-level: avoid a heap-buffer-overflow

* NEWS: Mention this.
* src/suffix.c (strip_compression_suffix): Fix string comparison guard.
Without this change, some ASAN-enabled test runs would fail with the
following.  Also, strip an additional .tar suffix only if the just-
stripped suffix did not match /^\.t/".

==30815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000002ed at pc 0x00000049d1f4 bp 0x7ffeb5906d50 sp 0x7ffeb5906500
READ of size 1 at 0x6020000002ed thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x49d1f3 in __interceptor_strncmp /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:407
    #1 0x5670f3 in strip_compression_suffix /j/tar/src/suffix.c:107
    #2 0x575788 in decode_options /j/tar/src/tar.c:2545
    #3 0x5760c0 in main /j/tar/src/tar.c:2708
    #4 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
    #5 0x408629 in _start (/j/tar/src/tar+0x408629)

0x6020000002ed is located 3 bytes to the left of 6-byte region [0x6020000002f0,0x6020000002f6)
allocated by thread T0 here:
    #0 0x4d0710 in __interceptor_malloc /j/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x4908ad in __interceptor_strndup /j/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:326
    #2 0x5cbcbd in xstrndup /j/tar/gnu/xstrndup.c:32
    #3 0x5a325b in base_name /j/tar/gnu/basename.c:57
    #4 0x575772 in decode_options /j/tar/src/tar.c:2544
    #5 0x5760c0 in main /j/tar/src/tar.c:2708
    #6 0x7f105090df29 in __libc_start_main ../csu/libc-start.c:308
---

diff --git a/NEWS b/NEWS
index 998258e8..ee607ed2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,9 +1,12 @@
-GNU tar NEWS - User visible changes. 2018-03-18
+GNU tar NEWS - User visible changes. 2018-04-07
 Please send GNU tar bug reports to <bug-tar@gnu.org>
 
 
 version 1.30.90 (Git)
 
+* Fix heap-buffer-overrun with --one-top-level.
+Bug introduced with the addition of that option in 1.28.
+
 * Support for zstd compression
 
 New option '--zstd' instructs tar to use zstd as compression program.
@@ -53,7 +56,7 @@ causing subsequent link extractions in that directory to fail.
 
 This new warning control option suppresses warning messages about
 unreadable files and directories. It has effect only if used together
-with the --ignore-failed-read option.  
+with the --ignore-failed-read option.
 
 * The --warnings=none option now suppresses all warnings
 
diff --git a/src/suffix.c b/src/suffix.c
index 66b5694c..d787ea8f 100644
--- a/src/suffix.c
+++ b/src/suffix.c
@@ -62,7 +62,7 @@ find_compression_suffix (const char *name, size_t *ret_len)
     {
       size_t len;
       struct compression_suffix *p;
-      
+
       suf++;
       len = strlen (suf);
 
@@ -101,10 +101,14 @@ strip_compression_suffix (const char *name)
 {
   char *s = NULL;
   size_t len;
+  struct compression_suffix const *p = find_compression_suffix (name, &len);
 
-  if (find_compression_suffix (name, &len))
+  if (p)
     {
-      if (strncmp (name + len - 4, ".tar", 4) == 0)
+      /* Strip an additional ".tar" suffix, but only if the just-stripped
+	 "outer" suffix did not begin with "t".  */
+      if (len > 4 && strncmp (name + len - 4, ".tar", 4) == 0
+	  && p->suffix[0] != 't')
 	len -= 4;
       if (len == 0)
 	return NULL;
@@ -114,4 +118,3 @@ strip_compression_suffix (const char *name)
     }
   return s;
 }
-