On Wed, 28 Nov 2018 at 14:32, Burton, Ross <ross.bur...@intel.com> wrote: > https://gitlab.com/rossburton/cpio/commit/37b78fba8044411349ae791bcee98f55d4c0e442 > is an addition to the test suite which fails for me.
Consider a cpio with a single file in. I'm appending a second file to it. First file runs through process_copy_in(), ends up in cpio_set_c_name(). buflen == 0 so c_name is malloc()'d and buflen assigned to at least 32. Second file called "FOO" later runs through process_copy_out, cpio_set_c_name doesn't malloc as buflen != 0, doesn't realloc as buflen > len(FOO). file_hdr->c_name remains unset, and is then the target for a memmove. Segfault. This cpio_set_c_name looks like it was attempting to use a single buffer, but when appending an existing archive both process_copy_in and process_copy_out have a file_hdr on the stack. The ross branch at https://gitlab.com/rossburton/cpio/ has two hacks: one to force the file_hdr to be zero'd in process_copy_out and another to malloc if the c_name isn't set. They fix the problem for me but I suspect a better solution would involve a bit more refactoring. Ross
