bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sharutils 4.5: Fix memory corruption with "shar ."

From: Bruce Korb
Subject: Re: sharutils 4.5: Fix memory corruption with "shar ."
Date: Wed, 10 Aug 2005 09:50:23 -0700
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) 
Hi Andreas,

*sigh*  What's triggered all the interest in this thing lately?

Anyway, it's seems unclear how this writes past allocated memory,
assuming that "restore_name_length" must be >= 2 before reaching
this code and assuming the allocation is >= restore_name_length+1.
(The code is not in front of me.)  Also, what is "walkdown" going
to do with an empty string?  Anything valid?

Thx - Bruce

Andreas Schwab wrote:

Don't write beyond the bounds of the allocated memory.

Andreas.

2005-08-10  Andreas Schwab  <address@hidden>

        * shar.c (walkdown): Don't let restore_name_length become
        negative.

--- src/shar.c
+++ src/shar.c
@@ -382,14 +382,9 @@
        /* Avoid restoring `./xxx' when shar'ing `.'.  */
if (!strncmp (restore_name_copy, "./", 2)) 
-         {
-           const char *rp = restore_name_copy + 2;
-           char *wp = restore_name_copy;
-           while ((*wp++ = *rp++));
-           restore_name_length -= 2;
-         }
-
-       status = walkdown (routine, local_name_copy, restore_name_copy);
+         status = walkdown (routine, local_name_copy, restore_name_copy + 2);
+       else
+         status = walkdown (routine, local_name_copy, restore_name_copy);
       }
/* Clean up. */
reply via email to
[Prev in Thread] Current Thread [Next in Thread]