The calculations for the suffix and prefix can increment the endpoint
for a trailing slash. Hence the limits used should be one lower than the
maximum number of bytes.
Without this patch, when this happens for both the prefix and the
suffix, we end up with 156 + 100 bytes, and the write of the null at the
end will overflow the 256 byte buffer. This can be reproduced by running
```
mkdir -p foo/bar
bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
```
when bsdtar is compiled with Address Sanitiser, although I originally
noticed this by accident with a genuine filename on a CHERI capability
system, which faults immediately on the buffer overflow.
const char *filename, *filename_end;
char *p;
int need_slash = 0; /* Was there a trailing slash? */
- size_t suffix_length = 99;
+ size_t suffix_length = 98; /* 99 - 1 for trailing slash */
size_t insert_length;
/* Length of additional dir element to be added. */
/* Step 2: Locate the "prefix" section of the dirname, including
* trailing '/'. */
prefix = src;
- prefix_end = prefix + 155;
+ prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
if (prefix_end > filename)
prefix_end = filename;
while (prefix_end > prefix && *prefix_end != '/')
projects / thirdparty / libarchive.git / commitdiff
