[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
delete.c flush_file() adds file size to current_blocks w/o sanity check
|
From: |
rtm |
|
Subject: |
delete.c flush_file() adds file size to current_blocks w/o sanity check |
|
Date: |
Sat, 02 Mar 2024 16:30:56 -0500 |
In gnu tar delete.c's flush_file():
blocks_to_skip = (current_stat_info.stat.st_size
+ BLOCKSIZE - 1) / BLOCKSIZE;
...;
current_block += blocks_to_skip;
can cause current_block to point beyond the end of the buffer if the
claimed file size is too big.
I've attached a demo tar image:
# tar --version
tar (GNU tar) 1.35
# tar tvf gtar13c.tar
?rwxr-xr-x rtm/wheel 0 2024-02-29 09:32 ./ unknown file type â
?rw-r--r-- rtm/wheel 536870904 2023-02-11 12:28 ./a unknown file type â
# tar -f gtar13c.tar --delete ./a
Segmentation fault (core dumped)
Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x0000000000364ecc in read_header (return_block=0x4dbd70 <current_header>,
info=0x4dc340 <current_stat_info>, mode=read_header_auto) at list.c:442
442 if (header->header.typeflag == LNKTYPE)
(gdb) where
#0 0x0000000000364ecc in read_header (return_block=0x4dbd70 <current_header>,
info=0x4dc340 <current_stat_info>, mode=read_header_auto) at list.c:442
#1 0x0000000000355862 in delete_archive_members () at delete.c:269
#2 0x0000000000375320 in main (argc=7, argv=0x7fffffffe798) at tar.c:2814
Robert Morris
rtm@csail.mit.edu
gtar13c.tar
Description: archive/tar
- delete.c flush_file() adds file size to current_blocks w/o sanity check,
rtm <=