Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
cpio.32283
fix-CVE-2021-38185.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-CVE-2021-38185.patch of Package cpio.32283
From dd96882877721703e19272fe25034560b794061b Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff <gray@gnu.org> Date: Sat, 7 Aug 2021 12:52:21 +0300 Subject: Rewrite dynamic string support. * src/dstring.c (ds_init): Take a single argument. (ds_free): New function. (ds_resize): Take a single argument. Use x2nrealloc to expand the storage. (ds_reset,ds_append,ds_concat,ds_endswith): New function. (ds_fgetstr): Rewrite. In particular, this fixes integer overflow. * src/dstring.h (dynamic_string): Keep both the allocated length (ds_size) and index of the next free byte in the string (ds_idx). (ds_init,ds_resize): Change signature. (ds_len): New macro. (ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. * src/copyin.c: Use new ds_ functions. * src/copyout.c: Likewise. * src/copypass.c: Likewise. * src/util.c: Likewise. --- src/copyin.c | 40 +++++++++++++------------- src/copyout.c | 16 ++++------- src/copypass.c | 34 +++++++++++------------ src/dstring.c | 88 ++++++++++++++++++++++++++++++++++++++++++---------------- src/dstring.h | 31 ++++++++++----------- src/util.c | 6 ++-- 6 files changed, 123 insertions(+), 92 deletions(-) Index: cpio-2.12/src/copyin.c =================================================================== --- cpio-2.12.orig/src/copyin.c +++ cpio-2.12/src/copyin.c @@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file char *str_res; /* Result for string function. */ static dynamic_string new_name; /* New file name for rename option. */ static int initialized_new_name = false; + if (!initialized_new_name) - { - ds_init (&new_name, 128); - initialized_new_name = true; - } + { + ds_init (&new_name); + initialized_new_name = true; + } if (rename_flag) { @@ -897,21 +898,20 @@ print_name_with_quoting (register char * already in `save_patterns' (from the command line) are preserved. */ static void -read_pattern_file () +read_pattern_file (void) { - int max_new_patterns; - char **new_save_patterns; - int new_num_patterns; + char **new_save_patterns = NULL; + size_t max_new_patterns; + size_t new_num_patterns; int i; - dynamic_string pattern_name; + dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; FILE *pattern_fp; if (num_patterns < 0) num_patterns = 0; - max_new_patterns = 1 + num_patterns; - new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); new_num_patterns = num_patterns; - ds_init (&pattern_name, 128); + max_new_patterns = num_patterns; + new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); pattern_fp = fopen (pattern_file_name, "r"); if (pattern_fp == NULL) @@ -920,16 +920,16 @@ read_pattern_file () { while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) { - if (new_num_patterns >= max_new_patterns) - { - max_new_patterns += 1; - new_save_patterns = (char **) - xrealloc ((char *) new_save_patterns, - max_new_patterns * sizeof (char *)); - } + if (new_num_patterns == max_new_patterns) + new_save_patterns = x2nrealloc (new_save_patterns, + &max_new_patterns, + sizeof (new_save_patterns[0])); new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); ++new_num_patterns; } + + ds_free (&pattern_name); + if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) close_error (pattern_file_name); } Index: cpio-2.12/src/copyout.c =================================================================== --- cpio-2.12.orig/src/copyout.c +++ cpio-2.12/src/copyout.c @@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) The format of the header depends on the compatibility (-c) flag. */ void -process_copy_out () +process_copy_out (void) { - dynamic_string input_name; /* Name of file read from stdin. */ + dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; + /* Name of file read from stdin. */ struct stat file_stat; /* Stat record for file. */ struct cpio_file_stat file_hdr; /* Output header information. */ int in_file_des; /* Source file descriptor. */ @@ -604,7 +605,6 @@ process_copy_out () char *orig_file_name = NULL; /* Initialize the copy out. */ - ds_init (&input_name, 128); file_hdr.c_magic = 070707; /* Check whether the output file might be a tape. */ @@ -656,14 +656,9 @@ process_copy_out () { if (file_hdr.c_mode & CP_IFDIR) { - int len = strlen (input_name.ds_string); /* Make sure the name ends with a slash */ - if (input_name.ds_string[len-1] != '/') - { - ds_resize (&input_name, len + 2); - input_name.ds_string[len] = '/'; - input_name.ds_string[len+1] = 0; - } + if (!ds_endswith (&input_name, '/')) + ds_append (&input_name, '/'); } } @@ -896,6 +891,7 @@ process_copy_out () ngettext ("%lu block\n", "%lu blocks\n", (unsigned long) blocks), (unsigned long) blocks); } + ds_free (&input_name); } Index: cpio-2.12/src/copypass.c =================================================================== --- cpio-2.12.orig/src/copypass.c +++ cpio-2.12/src/copypass.c @@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char * If `link_flag', link instead of copying. */ void -process_copy_pass () +process_copy_pass (void) { - dynamic_string input_name; /* Name of file from stdin. */ - dynamic_string output_name; /* Name of new file. */ + dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; + /* Name of file from stdin. */ + dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; + /* Name of new file. */ size_t dirname_len; /* Length of `directory_name'. */ int res; /* Result of functions. */ char *slash; /* For moving past slashes in input name. */ @@ -69,29 +71,22 @@ process_copy_pass () created files */ /* Initialize the copy pass. */ - ds_init (&input_name, 128); - + dirname_len = strlen (directory_name); if (change_directory_option && !ISSLASH (directory_name[0])) { char *pwd = xgetcwd (); - dirname_len += strlen (pwd) + 1; - ds_init (&output_name, dirname_len + 2); - strcpy (output_name.ds_string, pwd); - strcat (output_name.ds_string, "/"); - strcat (output_name.ds_string, directory_name); + ds_concat (&output_name, pwd); + ds_append (&output_name, '/'); } - else - { - ds_init (&output_name, dirname_len + 2); - strcpy (output_name.ds_string, directory_name); - } - output_name.ds_string[dirname_len] = '/'; + ds_concat (&output_name, directory_name); + ds_append (&output_name, '/'); + dirname_len = ds_len (&output_name); output_is_seekable = true; change_dir (); - + /* Copy files with names read from stdin. */ while (ds_fgetstr (stdin, &input_name, name_end) != NULL) { @@ -127,8 +122,8 @@ process_copy_pass () keep track of which directories in a path are "hidden". */ slash = add_cdf_double_slashes (slash); #endif - ds_resize (&output_name, dirname_len + strlen (slash) + 2); - strcpy (output_name.ds_string + dirname_len + 1, slash); + ds_reset (&output_name, dirname_len); + ds_concat (&output_name, slash); existing_dir = false; if (lstat (output_name.ds_string, &out_file_stat) == 0) @@ -166,12 +161,12 @@ process_copy_pass () /* User said to link it if possible. Try and link to the original copy. If that fails we'll still try and link to a copy we've already made. */ - link_res = link_to_name (output_name.ds_string, + link_res = link_to_name (output_name.ds_string, input_name.ds_string); if ( (link_res < 0) && (in_file_stat.st_nlink > 1) ) - link_res = link_to_maj_min_ino (output_name.ds_string, - major (in_file_stat.st_dev), - minor (in_file_stat.st_dev), + link_res = link_to_maj_min_ino (output_name.ds_string, + major (in_file_stat.st_dev), + minor (in_file_stat.st_dev), in_file_stat.st_ino); /* If the file was not linked, copy contents of file. */ @@ -201,7 +196,7 @@ process_copy_pass () copy_files_disk_to_disk (in_file_des, out_file_des, in_file_stat.st_size, input_name.ds_string); disk_empty_output_buffer (out_file_des, true); - + set_copypass_perms (out_file_des, output_name.ds_string, &in_file_stat); @@ -215,7 +210,7 @@ process_copy_pass () output_name.ds_string, in_file_stat.st_atime, in_file_stat.st_mtime); - } + } if (close (in_file_des) < 0) close_error (input_name.ds_string); @@ -230,7 +225,7 @@ process_copy_pass () else if (S_ISDIR (in_file_stat.st_mode)) { struct cpio_file_stat file_stat; - + stat_to_cpio (&file_stat, &in_file_stat); file_stat.c_name = output_name.ds_string; cpio_create_dir (&file_stat, existing_dir); @@ -249,10 +244,10 @@ process_copy_pass () Set link_name to the original file name. */ if (link_flag) /* User said to link it if possible. */ - link_res = link_to_name (output_name.ds_string, + link_res = link_to_name (output_name.ds_string, input_name.ds_string); if ( (link_res < 0) && (in_file_stat.st_nlink > 1) ) - link_res = link_to_maj_min_ino (output_name.ds_string, + link_res = link_to_maj_min_ino (output_name.ds_string, major (in_file_stat.st_dev), minor (in_file_stat.st_dev), in_file_stat.st_ino); @@ -335,7 +330,7 @@ process_copy_pass () fputc ('\n', stderr); apply_delayed_set_stat (); - + if (!quiet_flag) { size_t blocks = (output_bytes + io_block_size - 1) / io_block_size; @@ -344,9 +339,12 @@ process_copy_pass () (unsigned long) blocks), (unsigned long) blocks); } + + ds_free (&input_name); + ds_free (&output_name); } -/* Try and create a hard link from FILE_NAME to another file +/* Try and create a hard link from FILE_NAME to another file with the given major/minor device number and inode. If no other file with the same major/minor/inode numbers is known, add this file to the list of known files and associated major/minor/inode numbers @@ -375,7 +373,7 @@ link_to_maj_min_ino (char *file_name, in } /* Try and create a hard link from LINK_NAME to LINK_TARGET. If - `create_dir_flag' is set, any non-existent (parent) directories + `create_dir_flag' is set, any non-existent (parent) directories needed by LINK_NAME will be created. If the link is successfully created and `verbose_flag' is set, print "LINK_TARGET linked to LINK_NAME\n". If the link can not be created and `link_flag' is set, print Index: cpio-2.12/src/dstring.c =================================================================== --- cpio-2.12.orig/src/dstring.c +++ cpio-2.12/src/dstring.c @@ -20,8 +20,8 @@ #if defined(HAVE_CONFIG_H) # include <config.h> #endif - #include <stdio.h> +#include <stdlib.h> #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) #include <string.h> #else @@ -31,28 +31,46 @@ char *xmalloc (unsigned n); char *xrealloc (char *p, unsigned n); +char *x2nrealloc (void *p, size_t *pn, size_t s); /* Initialiaze dynamic string STRING with space for SIZE characters. */ void -ds_init (dynamic_string *string, int size) +ds_init (dynamic_string *string) +{ + memset (string, 0, sizeof *string); +} + +/* Free the dynamic string storage. */ + +void +ds_free (dynamic_string *string) { - string->ds_length = size; - string->ds_string = (char *) xmalloc (size); + free (string->ds_string); } -/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ +/* Expand dynamic string STRING, if necessary. */ void -ds_resize (dynamic_string *string, int size) +ds_resize (dynamic_string *string) { - if (size > string->ds_length) + if (string->ds_idx == string->ds_size) { - string->ds_length = size; - string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); + string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, + 1); } } +/* Reset the index of the dynamic string S to LEN. */ + +void +ds_reset (dynamic_string *s, size_t len) +{ + while (len > s->ds_size) + ds_resize (s); + s->ds_idx = len; +} + /* Dynamic string S gets a string terminated by the EOS character (which is removed) from file F. S will increase in size during the function if the string from F is longer than @@ -63,34 +81,50 @@ ds_resize (dynamic_string *string, int s char * ds_fgetstr (FILE *f, dynamic_string *s, char eos) { - int insize; /* Amount needed for line. */ - int strsize; /* Amount allocated for S. */ int next_ch; /* Initialize. */ - insize = 0; - strsize = s->ds_length; + s->ds_idx = 0; /* Read the input string. */ - next_ch = getc (f); - while (next_ch != eos && next_ch != EOF) + while ((next_ch = getc (f)) != eos && next_ch != EOF) { - if (insize >= strsize - 1) - { - ds_resize (s, strsize * 2 + 2); - strsize = s->ds_length; - } - s->ds_string[insize++] = next_ch; - next_ch = getc (f); + ds_resize (s); + s->ds_string[s->ds_idx++] = next_ch; } - s->ds_string[insize++] = '\0'; + ds_resize (s); + s->ds_string[s->ds_idx] = '\0'; - if (insize == 1 && next_ch == EOF) + if (s->ds_idx == 0 && next_ch == EOF) return NULL; else return s->ds_string; } +void +ds_append (dynamic_string *s, int c) +{ + ds_resize (s); + s->ds_string[s->ds_idx] = c; + if (c) + { + s->ds_idx++; + ds_resize (s); + s->ds_string[s->ds_idx] = 0; + } +} + +void +ds_concat (dynamic_string *s, char const *str) +{ + size_t len = strlen (str); + while (len + 1 > s->ds_size) + ds_resize (s); + memcpy (s->ds_string + s->ds_idx, str, len); + s->ds_idx += len; + s->ds_string[s->ds_idx] = 0; +} + char * ds_fgets (FILE *f, dynamic_string *s) { @@ -102,3 +136,10 @@ ds_fgetname (FILE *f, dynamic_string *s) { return ds_fgetstr (f, s, '\0'); } + +/* Return true if the dynamic string S ends with character C. */ +int +ds_endswith (dynamic_string *s, int c) +{ + return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); +} Index: cpio-2.12/src/dstring.h =================================================================== --- cpio-2.12.orig/src/dstring.h +++ cpio-2.12/src/dstring.h @@ -17,10 +17,6 @@ Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#ifndef NULL -#define NULL 0 -#endif - /* A dynamic string consists of record that records the size of an allocated string and the pointer to that string. The actual string is a normal zero byte terminated string that can be used with the @@ -30,22 +26,25 @@ typedef struct { - int ds_length; /* Actual amount of storage allocated. */ - char *ds_string; /* String. */ + size_t ds_size; /* Actual amount of storage allocated. */ + size_t ds_idx; /* Index of the next free byte in the string. */ + char *ds_string; /* String storage. */ } dynamic_string; +#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } -/* Macros that look similar to the original string functions. - WARNING: These macros work only on pointers to dynamic string records. - If used with a real record, an "&" must be used to get the pointer. */ -#define ds_strlen(s) strlen ((s)->ds_string) -#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) -#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) -#define ds_index(s, c) index ((s)->ds_string, c) -#define ds_rindex(s, c) rindex ((s)->ds_string, c) +void ds_init (dynamic_string *string); +void ds_free (dynamic_string *string); +void ds_reset (dynamic_string *s, size_t len); -void ds_init (dynamic_string *string, int size); -void ds_resize (dynamic_string *string, int size); +/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ char *ds_fgetname (FILE *f, dynamic_string *s); char *ds_fgets (FILE *f, dynamic_string *s); char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); +void ds_append (dynamic_string *s, int c); +void ds_concat (dynamic_string *s, char const *str); + +#define ds_len(s) ((s)->ds_idx) + +int ds_endswith (dynamic_string *s, int c); + Index: cpio-2.12/src/util.c =================================================================== --- cpio-2.12.orig/src/util.c +++ cpio-2.12/src/util.c @@ -908,11 +908,9 @@ get_next_reel (int tape_des) FILE *tty_out; /* File for interacting with user. */ int old_tape_des; char *next_archive_name; - dynamic_string new_name; + dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; char *str_res; - ds_init (&new_name, 128); - /* Open files for interactive communication. */ tty_in = fopen (TTY_NAME, "r"); if (tty_in == NULL) @@ -987,7 +985,7 @@ get_next_reel (int tape_des) error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), old_tape_des, tape_des); - free (new_name.ds_string); + ds_free (&new_name); fclose (tty_in); fclose (tty_out); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
