[Toybox] [PATCH] tar: fix heap buffer overrun.

Rob Landley rob at landley.net
Thu Oct 15 17:31:39 PDT 2020


On 10/14/20 3:21 PM, enh wrote:
> i've sent a new fix that just touches dirtree_path() so that it always
> honors the size request again.

Applied, and then cosmetically fiddled with because I do that.

>> but I leave for the airport to fly back to Japan in 2 hours. (Part of the
>> reason I've been so distracted lately, it's not JUST focusing on sh.c. :)
>>
>>> Caught by ASan.
>>
>> Operating on what path?
> 
> the new patch's commit message makes it clearer that you can reproduce
> this with the existing tar tests, as long as you `export ASAN=1`.
> (would we need extra docker dependencies, or should we just turn that
> on for the github CI?)

No idea.

I mentioned the ndk not working for this becuase of the need to build --static
to run anything on a system that doesn't have bionic installed in /lib, and asan
not working --static.

I can install llvm 7 through the devuan apt-get (may 2019), but 11 just shipped
and they don't have debian binaries, just ubuntu. MIGHT work? Not looking
forward to trying to build that from source, it's really brittle last I
checked... Ah, maybe I can follow:

  http://www.linuxfromscratch.org/blfs/view/svn/general/llvm.html

Um... is ninja part of cmake now? It lists cmake as a dependency but does not
list ninja? Did they add ninja to the 10.x base?

  http://www.linuxfromscratch.org/lfs/view/stable/chapter08/ninja.html

yes they did. Lovely...

Anyway, question: is llvm 7 likely to be enough, or should I try compiling llvm
from source to poke at this asan stuff?

Rob



More information about the Toybox mailing list