Thanks to Krzysztof Kotlenga <pocek@users.sf.net>:
authorticktock35 <ticktock35@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>
Wed, 4 Mar 2009 00:59:35 +0000 (00:59 +0000)
committerticktock35 <ticktock35@e8e0d7a0-c8d9-11dd-a880-a1081c7ac358>
Wed, 4 Mar 2009 00:59:35 +0000 (00:59 +0000)
 Frans Meulenbroeks wrote:

> Anyway, appending the 0 byte is no good as tar_entry->name[100] is
> already out of bounds.

http://tiny.cc/964UD looks good enough. It's interesting that we have
to trace bugs already fixed upstream years ago.

http://lists.linuxtogo.org/pipermail/openembedded-devel/2009-March/008510.html

git-svn-id: http://opkg.googlecode.com/svn/trunk@203 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358

libbb/unarchive.c

index 24877e7..84a3b6a 100644 (file)
@@ -600,15 +600,15 @@ file_header_t *get_header_tar(FILE *tar_stream)
                 linkname = NULL;
         } else
 #endif
-        if (tar.formated.prefix[0] == 0) {
-                tar_entry->name = strdup(tar.formated.name);
-        } else {                                              
-                tar_entry->name = concat_path_file(tar.formated.prefix, tar.formated.name);
-        }
+        {
+                tar_entry->name = xstrndup(tar.formated.name, 100);
 
-       if (strlen(tar_entry->name) > 100) {
-               tar_entry->name[100] = 0;
-       }
+                if (tar.formated.prefix[0]) {
+                        char *temp = tar_entry->name;
+                        tar_entry->name = concat_path_file(tar.formated.prefix, temp);
+                        free(temp);
+                }
+        }
 
        // tar_entry->name = xstrdup(tar.formated.name);