Mail Archives: djgpp/1998/03/15/11:36:25
> > Well, I think I still can get a stack overwrite with the latest djtar.
> > Try to "djtar -x" a file containing directories. Then "djtar -x" the
> > same file again. When djtar asks you for a new directory name give it
> > "1" as new directory name. Then "djtar -x" the same file again (again).
> > When djtar asks you for a new directory name give it "1" as new
> > directory name again, then when djtar asks you for a new directory name
> > (as 1 already existed) give it "22". Voila crash is a fact.
>
> I cannot reproduce this crash. Please post the shortest archive that
> shows the bug. Did you use the version of `djtar' from the last alpha
> release?
Yes.
Try filling up the disk first. I wrote it from memory, so I had
forgotten that the disk was full.
> > I think I see the problem in the code but I'm not sure exactly how to
> > fix it:
> > Lines 149-150 of src/utils/djtar/djtar.c are
> > sprintf(new, "%s%s", ch->new, fname+strlen(ch->old));
> > strcpy(fname, new);
> >
> > This will make the length of new grow and grow and finally overwrite the
> > stack.
>
> As far as I can see, in all the cases where these lines execute,
> `fname' is declared as an array of dimension PATH_MAX. PATH_MAX is
> 512, so I doubt whether it could be overwritten by any reasonable-
> length file name.
Well, it because the program loops, as it fails to create the first
directory and then the second and so forth. In the last run you only
need to give "1" and "22" then the loop begins, making fname longer
and longer, trashing the stack after a while.
I've got a patch, but I corrected it in other parts of the code.
I'll send it soon.
Right,
MartinS
- Raw text -