git.ipfire.org Git - thirdparty/libarchive.git/commit

author	Brian Campbell <Brian.Campbell@ed.ac.uk>
	Sat, 26 Apr 2025 04:11:19 +0000 (05:11 +0100)
committer	GitHub <noreply@github.com>
	Sat, 26 Apr 2025 04:11:19 +0000 (21:11 -0700)
commit	7c02cde37a63580cd1859183fbbd2cf04a89be85
tree	43b1675724c6b6275ba56554ed3eaf3fd09ccb6b	tree \| snapshot
parent	be8d08868c9bd9ebc2e27eeb7c3df74e4749bb91	commit \| diff

Fix overflow in build_ustar_entry (#2588)

The calculations for the suffix and prefix can increment the endpoint
for a trailing slash. Hence the limits used should be one lower than the
maximum number of bytes.

Without this patch, when this happens for both the prefix and the
suffix, we end up with 156 + 100 bytes, and the write of the null at the
end will overflow the 256 byte buffer. This can be reproduced by running
```
mkdir -p foo/bar
bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
```
when bsdtar is compiled with Address Sanitiser, although I originally
noticed this by accident with a genuine filename on a CHERI capability
system, which faults immediately on the buffer overflow.