Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Aug 2004 10:19:25 -0700
From:      Tim Kientzle <kientzle@freebsd.org>
To:        Sean McNeil <sean@mcneil.com>
Cc:        freebsd-current@freebsd.org
Subject:   Re: bsdtar core dumps
Message-ID:  <4127841D.6050104@freebsd.org>
In-Reply-To: <1092951447.1167.12.camel@server.mcneil.com>
References:  <1092777586.92327.9.camel@server.mcneil.com> <20040817213813.GE3827@gothmog.gr> <1092951447.1167.12.camel@server.mcneil.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------050501010007080602060205
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Sean McNeil wrote:
>>>
>>>I just tried to unarchive a file that didn't exist and got a core dump:
> 
> Here is a backtrace of the error:
> 
> #0  0x0000000200926d7e in __vfprintf (fp=0x7fffffffe360,
>     fmt0=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
>     at /usr/src/lib/libc/stdio/vfprintf.c:1052
> #1  0x00000002008c4006 in vsnprintf (str=0x32 <Address 0x32 out of bounds>,
>     n=4284889, fmt=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
>     at /usr/src/lib/libc/stdio/vsnprintf.c:75
> #2  0x0000000000411478 in __archive_string_vsprintf (as=0x520240,
>     fmt=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
>     at /usr/src/lib/libarchive/archive_string_sprintf.c:60
> 
> Could be a compiler bug I suppose, but more likely I think it is this
> code:
> 
> 	if (n == 0) {
> 		if (on > 0)
> 	  		*str = '\0';
> 		str = dummy;
> 		n = 1;
> 	}
> 
> in vsnprintf.c::vsnprintf.

The code you've pointed to above concerns
me because of the part about:
     if (n == 0) {
           ...
           n = 1;
     }
That ain't right:  If I told vsnprintf the buffer
size was zero, it should treat it as such.  If I
meant "one", I would have said "one."

On the other hand, the vsnprintf.3 man page
does explicitly state that "the output is always
null-terminated," which would preclude passing
a zero-length buffer, which is exactly what
libarchive is doing in this situation.  It is
bogus, but at least it's documented bogosity. ;-)

Please try the attached patch to libarchive/archive_string_sprintf.c
and let me know if it works for you.  It simply
forces the target buffer to be allocated and thereby
avoids calling vsnprintf with a NULL buffer.

Tim Kientzle

--------------050501010007080602060205
Content-Type: text/plain;
 name="archive_string_sprintf.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="archive_string_sprintf.c.diff"

Index: archive_string_sprintf.c
===================================================================
RCS file: /home/ncvs/src/lib/libarchive/archive_string_sprintf.c,v
retrieving revision 1.4
diff -u -r1.4 archive_string_sprintf.c
--- archive_string_sprintf.c	14 Aug 2004 03:45:45 -0000	1.4
+++ archive_string_sprintf.c	21 Aug 2004 17:02:49 -0000
@@ -48,6 +48,9 @@
 {
 	size_t l;
 
+	/* Make sure the target area is initialized. */
+	__archive_string_ensure(as, 64);
+
 	if (fmt == NULL) {
 		as->s[0] = 0;
 		return;

--------------050501010007080602060205--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4127841D.6050104>