From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 1 23:20:19 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00ADC16A41C for ; Fri, 1 Jul 2005 23:20:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C46B443D1D for ; Fri, 1 Jul 2005 23:20:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j61NKIj5076588 for ; Fri, 1 Jul 2005 23:20:18 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j61NKIQC076587; Fri, 1 Jul 2005 23:20:18 GMT (envelope-from gnats) Resent-Date: Fri, 1 Jul 2005 23:20:18 GMT Resent-Message-Id: <200507012320.j61NKIQC076587@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Bjoern Koenigönig" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D60CC16A41C; Fri, 1 Jul 2005 23:17:13 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from mail.efacilitas.de (efacilitas.de [213.133.110.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6350C43D1F; Fri, 1 Jul 2005 23:17:13 +0000 (GMT) (envelope-from bkoenig@cs.tu-berlin.de) Received: from eurystheus.local (port-212-202-37-29.dynamic.qsc.de [212.202.37.29]) by mail.efacilitas.de (Postfix) with ESMTP id 1E264123991; Sat, 2 Jul 2005 01:15:28 +0200 (CEST) Received: from localhost (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 3F19E12B0F7; Sat, 2 Jul 2005 01:15:42 +0200 (CEST) Received: from eurystheus.local ([192.168.1.67]) by localhost (eurystheus.locaL [192.168.1.67]) (amavisd-new, port 10024) with ESMTP id 09585-02; Sat, 2 Jul 2005 01:15:37 +0200 (CEST) Received: from hoppel.local (eurystheus.local [192.168.1.67]) by eurystheus.local (Postfix) with ESMTP id 7CF4812B0EB; Sat, 2 Jul 2005 01:15:37 +0200 (CEST) Message-Id: <1120259737.0@hoppel.local> Date: Sat, 2 Jul 2005 01:15:37 +0200 From: "Bjoern Koenigönig" To: "FreeBSD gnats submit" X-Send-Pr-Version: gtk-send-pr 0.4.6 Cc: kientzle@FreeBSD.org Subject: bin/82878: A bunch of bugs in archive_read_data of libarchive X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 23:20:19 -0000 >Number: 82878 >Category: bin >Synopsis: A bunch of bugs in archive_read_data of libarchive >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 01 23:20:18 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Bjoern Koenigönig >Release: FreeBSD 5.4-RELEASE-p2 i386 >Organization: >Environment: >Description: There is a bunch of bugs in the function archive_read_data of libarchive that prevents tar from working correctly in case you use the @filename statement of tar (see how-to-repeat section). I refer to src/lib/libarchive/archive_read.c of HEAD: line 367f: The return value is a size_t, therefore there is no point to return a code. Zero might be suitable or -1 to indicate an error. line 371: This condition is always false, because if read_data_offset will be increased in the else branche then read_data_output_offset will be increased by the same value. There is no other point in the while loop where these variables will be changed -- nothing will be filled with zeros. Is this intended and for future purposes? line 385: Always the beginning of the whole block will be copied. For example, if we have 8192 bytes at first and the whole block has a length of 10240 bytes then there are 2048 remaining bytes. The function returns and most likely it will be called twice to get the remaining bytes, but at this point memcpy would copy the wrong bytes - the first bytes of the block again. line 395: same as 365f. >How-To-Repeat: This small script demonstrates that archive_read_data doesn't work correctly. The diff command should return nothing. --- schnipp --- #!/bin/sh test -f sys.tar || tar -cf sys.tar /usr/src/sys/i386 test -f newsys.tar && rm newsys.tar tar -cf newsys.tar @sys.tar tar -xf newsys.tar diff -r usr/src/sys/i386 /usr/src/sys/i386 --- schnapp --- >Fix: I tried to make a fix, but I had no success. It seems like that there are still more bugs than I enumerated. >Release-Note: >Audit-Trail: >Unformatted: