From:	Martin DOT Stromberg AT lu DOT erisoft DOT se (Martin Stromberg)
Newsgroups:	comp.os.msdos.djgpp
Subject:	Re: Where to get the latest sources for djtar
Date:	12 Mar 1998 15:47:06 GMT
Organization:	Ericsson Erisoft AB, Sweden
Lines:	35
Message-ID:	<6e901q$qpp$1@antares.lu.erisoft.se>
References:	<Pine DOT SUN DOT 3 DOT 91 DOT 980308140845 DOT 22686Y-100000 AT is>
NNTP-Posting-Host:	propus.lu.erisoft.se
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp

Eli Zaretskii (eliz AT is DOT elta DOT co DOT il) wrote:

: On 6 Mar 1998, Martin Stromberg wrote:

: > Two error conditions, with (at least two) consequences: ungraceful
: > handling of the error conditions disk full and too deep directory 
: > nesting, which result in endless loop or stack overwrite.

: The second bug is to the best of my knowledge fixed in the latest
: alpha version (you didn't specify the problem precisely, so I can only
: guess).  But the first bug is not fixed yet; so please submit the
: necessary changes.  Thanks.

Well, I think I still can get a stack overwrite with the latest djtar.
Try to "djtar -x" a file containing directories. Then "djtar -x" the
same file again. When djtar asks you for a new directory name give it
"1" as new directory name. Then "djtar -x" the same file again (again).
When djtar asks you for a new directory name give it "1" as new 
directory name again, then when djtar asks you for a new directory name
(as 1 already existed) give it "22". Voila crash is a fact.

I think I see the problem in the code but I'm not sure exactly how to 
fix it:
Lines 149-150 of src/utils/djtar/djtar.c are
      sprintf(new, "%s%s", ch->new, fname+strlen(ch->old));
      strcpy(fname, new);

This will make the length of new grow and grow and finally overwrite the
stack.


Any ideas?

							MartinS

- Raw text -