1 /*- 2 * Copyright (c) 2003-2023 Tim Kientzle 3 * Copyright (c) 2011-2012 Michihiro NAKAJIMA 4 * Copyright (c) 2016 Martin Matuska 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "archive_platform.h" 29 30 #ifdef HAVE_ERRNO_H 31 #include <errno.h> 32 #endif 33 #include <stddef.h> 34 #ifdef HAVE_STDLIB_H 35 #include <stdlib.h> 36 #endif 37 #ifdef HAVE_STRING_H 38 #include <string.h> 39 #endif 40 41 #include "archive.h" 42 #include "archive_acl_private.h" /* For ACL parsing routines. */ 43 #include "archive_entry.h" 44 #include "archive_entry_locale.h" 45 #include "archive_private.h" 46 #include "archive_read_private.h" 47 48 #define tar_min(a,b) ((a) < (b) ? (a) : (b)) 49 50 /* 51 * Layout of POSIX 'ustar' tar header. 52 */ 53 struct archive_entry_header_ustar { 54 char name[100]; 55 char mode[8]; 56 char uid[8]; 57 char gid[8]; 58 char size[12]; 59 char mtime[12]; 60 char checksum[8]; 61 char typeflag[1]; 62 char linkname[100]; /* "old format" header ends here */ 63 char magic[6]; /* For POSIX: "ustar\0" */ 64 char version[2]; /* For POSIX: "00" */ 65 char uname[32]; 66 char gname[32]; 67 char rdevmajor[8]; 68 char rdevminor[8]; 69 char prefix[155]; 70 }; 71 72 /* 73 * Structure of GNU tar header 74 */ 75 struct gnu_sparse { 76 char offset[12]; 77 char numbytes[12]; 78 }; 79 80 struct archive_entry_header_gnutar { 81 char name[100]; 82 char mode[8]; 83 char uid[8]; 84 char gid[8]; 85 char size[12]; 86 char mtime[12]; 87 char checksum[8]; 88 char typeflag[1]; 89 char linkname[100]; 90 char magic[8]; /* "ustar \0" (note blank/blank/null at end) */ 91 char uname[32]; 92 char gname[32]; 93 char rdevmajor[8]; 94 char rdevminor[8]; 95 char atime[12]; 96 char ctime[12]; 97 char offset[12]; 98 char longnames[4]; 99 char unused[1]; 100 struct gnu_sparse sparse[4]; 101 char isextended[1]; 102 char realsize[12]; 103 /* 104 * Old GNU format doesn't use POSIX 'prefix' field; they use 105 * the 'L' (longname) entry instead. 106 */ 107 }; 108 109 /* 110 * Data specific to this format. 111 */ 112 struct sparse_block { 113 struct sparse_block *next; 114 int64_t offset; 115 int64_t remaining; 116 int hole; 117 }; 118 119 struct tar { 120 struct archive_string entry_pathname; 121 /* For "GNU.sparse.name" and other similar path extensions. */ 122 struct archive_string entry_pathname_override; 123 struct archive_string entry_uname; 124 struct archive_string entry_gname; 125 struct archive_string entry_linkpath; 126 struct archive_string line; 127 int pax_hdrcharset_utf8; 128 int64_t entry_bytes_remaining; 129 int64_t entry_offset; 130 int64_t entry_padding; 131 int64_t entry_bytes_unconsumed; 132 int64_t disk_size; 133 int64_t GNU_sparse_realsize; 134 int64_t GNU_sparse_size; 135 int64_t SCHILY_sparse_realsize; 136 int64_t pax_size; 137 struct sparse_block *sparse_list; 138 struct sparse_block *sparse_last; 139 int64_t sparse_offset; 140 int64_t sparse_numbytes; 141 int sparse_gnu_major; 142 int sparse_gnu_minor; 143 char sparse_gnu_attributes_seen; 144 char filetype; 145 char size_fields; /* Bits defined below */ 146 147 struct archive_string localname; 148 struct archive_string_conv *opt_sconv; 149 struct archive_string_conv *sconv; 150 struct archive_string_conv *sconv_acl; 151 struct archive_string_conv *sconv_default; 152 int init_default_conversion; 153 int compat_2x; 154 int process_mac_extensions; 155 int read_concatenated_archives; 156 }; 157 158 /* Track which size fields were present in the headers */ 159 #define TAR_SIZE_PAX_SIZE 1 160 #define TAR_SIZE_GNU_SPARSE_REALSIZE 2 161 #define TAR_SIZE_GNU_SPARSE_SIZE 4 162 #define TAR_SIZE_SCHILY_SPARSE_REALSIZE 8 163 164 165 static int archive_block_is_null(const char *p); 166 static char *base64_decode(const char *, size_t, size_t *); 167 static int gnu_add_sparse_entry(struct archive_read *, struct tar *, 168 int64_t offset, int64_t remaining); 169 170 static void gnu_clear_sparse_list(struct tar *); 171 static int gnu_sparse_old_read(struct archive_read *, struct tar *, 172 const struct archive_entry_header_gnutar *header, int64_t *); 173 static int gnu_sparse_old_parse(struct archive_read *, struct tar *, 174 const struct gnu_sparse *sparse, int length); 175 static int gnu_sparse_01_parse(struct archive_read *, struct tar *, 176 const char *, size_t); 177 static int64_t gnu_sparse_10_read(struct archive_read *, struct tar *, 178 int64_t *); 179 static int header_Solaris_ACL(struct archive_read *, struct tar *, 180 struct archive_entry *, const void *, int64_t *); 181 static int header_common(struct archive_read *, struct tar *, 182 struct archive_entry *, const void *); 183 static int header_old_tar(struct archive_read *, struct tar *, 184 struct archive_entry *, const void *); 185 static int header_pax_extension(struct archive_read *, struct tar *, 186 struct archive_entry *, const void *, int64_t *); 187 static int header_pax_global(struct archive_read *, struct tar *, 188 struct archive_entry *, const void *h, int64_t *); 189 static int header_gnu_longlink(struct archive_read *, struct tar *, 190 struct archive_entry *, const void *h, int64_t *); 191 static int header_gnu_longname(struct archive_read *, struct tar *, 192 struct archive_entry *, const void *h, int64_t *); 193 static int is_mac_metadata_entry(struct archive_entry *entry); 194 static int read_mac_metadata_blob(struct archive_read *, 195 struct archive_entry *, int64_t *); 196 static int header_volume(struct archive_read *, struct tar *, 197 struct archive_entry *, const void *h, int64_t *); 198 static int header_ustar(struct archive_read *, struct tar *, 199 struct archive_entry *, const void *h); 200 static int header_gnutar(struct archive_read *, struct tar *, 201 struct archive_entry *, const void *h, int64_t *); 202 static int archive_read_format_tar_bid(struct archive_read *, int); 203 static int archive_read_format_tar_options(struct archive_read *, 204 const char *, const char *); 205 static int archive_read_format_tar_cleanup(struct archive_read *); 206 static int archive_read_format_tar_read_data(struct archive_read *a, 207 const void **buff, size_t *size, int64_t *offset); 208 static int archive_read_format_tar_skip(struct archive_read *a); 209 static int archive_read_format_tar_read_header(struct archive_read *, 210 struct archive_entry *); 211 static int checksum(struct archive_read *, const void *); 212 static int pax_attribute(struct archive_read *, struct tar *, 213 struct archive_entry *, const char *key, size_t key_length, 214 size_t value_length, int64_t *unconsumed); 215 static int pax_attribute_LIBARCHIVE_xattr(struct archive_entry *, 216 const char *, size_t, const char *, size_t); 217 static int pax_attribute_SCHILY_acl(struct archive_read *, struct tar *, 218 struct archive_entry *, size_t, int); 219 static int pax_attribute_SUN_holesdata(struct archive_read *, struct tar *, 220 struct archive_entry *, const char *, size_t); 221 static void pax_time(const char *, size_t, int64_t *sec, long *nanos); 222 static ssize_t readline(struct archive_read *, struct tar *, const char **, 223 ssize_t limit, int64_t *); 224 static int read_body_to_string(struct archive_read *, struct tar *, 225 struct archive_string *, const void *h, int64_t *); 226 static int read_bytes_to_string(struct archive_read *, 227 struct archive_string *, size_t, int64_t *); 228 static int64_t tar_atol(const char *, size_t); 229 static int64_t tar_atol10(const char *, size_t); 230 static int64_t tar_atol256(const char *, size_t); 231 static int64_t tar_atol8(const char *, size_t); 232 static int tar_read_header(struct archive_read *, struct tar *, 233 struct archive_entry *, int64_t *); 234 static int tohex(int c); 235 static char *url_decode(const char *, size_t); 236 static int tar_flush_unconsumed(struct archive_read *, int64_t *); 237 238 /* Sanity limits: These numbers should be low enough to 239 * prevent a maliciously-crafted archive from forcing us to 240 * allocate extreme amounts of memory. But of course, they 241 * need to be high enough for any correct value. These 242 * will likely need some adjustment as we get more experience. */ 243 static const size_t guname_limit = 65536; /* Longest uname or gname: 64kiB */ 244 static const size_t pathname_limit = 1048576; /* Longest path name: 1MiB */ 245 static const size_t sparse_map_limit = 8 * 1048576; /* Longest sparse map: 8MiB */ 246 static const size_t xattr_limit = 16 * 1048576; /* Longest xattr: 16MiB */ 247 static const size_t fflags_limit = 512; /* Longest fflags */ 248 static const size_t acl_limit = 131072; /* Longest textual ACL: 128kiB */ 249 static const int64_t entry_limit = 0xfffffffffffffffLL; /* 2^60 bytes = 1 ExbiByte */ 250 251 int 252 archive_read_support_format_gnutar(struct archive *a) 253 { 254 archive_check_magic(a, ARCHIVE_READ_MAGIC, 255 ARCHIVE_STATE_NEW, "archive_read_support_format_gnutar"); 256 return (archive_read_support_format_tar(a)); 257 } 258 259 260 int 261 archive_read_support_format_tar(struct archive *_a) 262 { 263 struct archive_read *a = (struct archive_read *)_a; 264 struct tar *tar; 265 int r; 266 267 archive_check_magic(_a, ARCHIVE_READ_MAGIC, 268 ARCHIVE_STATE_NEW, "archive_read_support_format_tar"); 269 270 tar = calloc(1, sizeof(*tar)); 271 if (tar == NULL) { 272 archive_set_error(&a->archive, ENOMEM, 273 "Can't allocate tar data"); 274 return (ARCHIVE_FATAL); 275 } 276 #ifdef HAVE_COPYFILE_H 277 /* Set this by default on Mac OS. */ 278 tar->process_mac_extensions = 1; 279 #endif 280 281 r = __archive_read_register_format(a, tar, "tar", 282 archive_read_format_tar_bid, 283 archive_read_format_tar_options, 284 archive_read_format_tar_read_header, 285 archive_read_format_tar_read_data, 286 archive_read_format_tar_skip, 287 NULL, 288 archive_read_format_tar_cleanup, 289 NULL, 290 NULL); 291 292 if (r != ARCHIVE_OK) 293 free(tar); 294 return (ARCHIVE_OK); 295 } 296 297 static int 298 archive_read_format_tar_cleanup(struct archive_read *a) 299 { 300 struct tar *tar; 301 302 tar = (struct tar *)(a->format->data); 303 gnu_clear_sparse_list(tar); 304 archive_string_free(&tar->entry_pathname); 305 archive_string_free(&tar->entry_pathname_override); 306 archive_string_free(&tar->entry_uname); 307 archive_string_free(&tar->entry_gname); 308 archive_string_free(&tar->entry_linkpath); 309 archive_string_free(&tar->line); 310 archive_string_free(&tar->localname); 311 free(tar); 312 (a->format->data) = NULL; 313 return (ARCHIVE_OK); 314 } 315 316 /* 317 * Validate number field 318 * 319 * This has to be pretty lenient in order to accommodate the enormous 320 * variety of tar writers in the world: 321 * = POSIX (IEEE Std 1003.1-1988) ustar requires octal values with leading 322 * zeros and allows fields to be terminated with space or null characters 323 * = Many writers use different termination (in particular, libarchive 324 * omits terminator bytes to squeeze one or two more digits) 325 * = Many writers pad with space and omit leading zeros 326 * = GNU tar and star write base-256 values if numbers are too 327 * big to be represented in octal 328 * 329 * Examples of specific tar headers that we should support: 330 * = Perl Archive::Tar terminates uid, gid, devminor and devmajor with two 331 * null bytes, pads size with spaces and other numeric fields with zeroes 332 * = plexus-archiver prior to 2.6.3 (before switching to commons-compress) 333 * may have uid and gid fields filled with spaces without any octal digits 334 * at all and pads all numeric fields with spaces 335 * 336 * This should tolerate all variants in use. It will reject a field 337 * where the writer just left garbage after a trailing NUL. 338 */ 339 static int 340 validate_number_field(const char* p_field, size_t i_size) 341 { 342 unsigned char marker = (unsigned char)p_field[0]; 343 if (marker == 128 || marker == 255 || marker == 0) { 344 /* Base-256 marker, there's nothing we can check. */ 345 return 1; 346 } else { 347 /* Must be octal */ 348 size_t i = 0; 349 /* Skip any leading spaces */ 350 while (i < i_size && p_field[i] == ' ') { 351 ++i; 352 } 353 /* Skip octal digits. */ 354 while (i < i_size && p_field[i] >= '0' && p_field[i] <= '7') { 355 ++i; 356 } 357 /* Any remaining characters must be space or NUL padding. */ 358 while (i < i_size) { 359 if (p_field[i] != ' ' && p_field[i] != 0) { 360 return 0; 361 } 362 ++i; 363 } 364 return 1; 365 } 366 } 367 368 static int 369 archive_read_format_tar_bid(struct archive_read *a, int best_bid) 370 { 371 int bid; 372 const char *h; 373 const struct archive_entry_header_ustar *header; 374 375 (void)best_bid; /* UNUSED */ 376 377 bid = 0; 378 379 /* Now let's look at the actual header and see if it matches. */ 380 h = __archive_read_ahead(a, 512, NULL); 381 if (h == NULL) 382 return (-1); 383 384 /* If it's an end-of-archive mark, we can handle it. */ 385 if (h[0] == 0 && archive_block_is_null(h)) { 386 /* 387 * Usually, I bid the number of bits verified, but 388 * in this case, 4096 seems excessive so I picked 10 as 389 * an arbitrary but reasonable-seeming value. 390 */ 391 return (10); 392 } 393 394 /* If it's not an end-of-archive mark, it must have a valid checksum.*/ 395 if (!checksum(a, h)) 396 return (0); 397 bid += 48; /* Checksum is usually 6 octal digits. */ 398 399 header = (const struct archive_entry_header_ustar *)h; 400 401 /* Recognize POSIX formats. */ 402 if ((memcmp(header->magic, "ustar\0", 6) == 0) 403 && (memcmp(header->version, "00", 2) == 0)) 404 bid += 56; 405 406 /* Recognize GNU tar format. */ 407 if ((memcmp(header->magic, "ustar ", 6) == 0) 408 && (memcmp(header->version, " \0", 2) == 0)) 409 bid += 56; 410 411 /* Type flag must be null, digit or A-Z, a-z. */ 412 if (header->typeflag[0] != 0 && 413 !( header->typeflag[0] >= '0' && header->typeflag[0] <= '9') && 414 !( header->typeflag[0] >= 'A' && header->typeflag[0] <= 'Z') && 415 !( header->typeflag[0] >= 'a' && header->typeflag[0] <= 'z') ) 416 return (0); 417 bid += 2; /* 6 bits of variation in an 8-bit field leaves 2 bits. */ 418 419 /* 420 * Check format of mode/uid/gid/mtime/size/rdevmajor/rdevminor fields. 421 */ 422 if (validate_number_field(header->mode, sizeof(header->mode)) == 0 423 || validate_number_field(header->uid, sizeof(header->uid)) == 0 424 || validate_number_field(header->gid, sizeof(header->gid)) == 0 425 || validate_number_field(header->mtime, sizeof(header->mtime)) == 0 426 || validate_number_field(header->size, sizeof(header->size)) == 0 427 || validate_number_field(header->rdevmajor, sizeof(header->rdevmajor)) == 0 428 || validate_number_field(header->rdevminor, sizeof(header->rdevminor)) == 0) { 429 bid = 0; 430 } 431 432 return (bid); 433 } 434 435 static int 436 archive_read_format_tar_options(struct archive_read *a, 437 const char *key, const char *val) 438 { 439 struct tar *tar; 440 int ret = ARCHIVE_FAILED; 441 442 tar = (struct tar *)(a->format->data); 443 if (strcmp(key, "compat-2x") == 0) { 444 /* Handle UTF-8 filenames as libarchive 2.x */ 445 tar->compat_2x = (val != NULL && val[0] != 0); 446 tar->init_default_conversion = tar->compat_2x; 447 return (ARCHIVE_OK); 448 } else if (strcmp(key, "hdrcharset") == 0) { 449 if (val == NULL || val[0] == 0) 450 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 451 "tar: hdrcharset option needs a character-set name"); 452 else { 453 tar->opt_sconv = 454 archive_string_conversion_from_charset( 455 &a->archive, val, 0); 456 if (tar->opt_sconv != NULL) 457 ret = ARCHIVE_OK; 458 else 459 ret = ARCHIVE_FATAL; 460 } 461 return (ret); 462 } else if (strcmp(key, "mac-ext") == 0) { 463 tar->process_mac_extensions = (val != NULL && val[0] != 0); 464 return (ARCHIVE_OK); 465 } else if (strcmp(key, "read_concatenated_archives") == 0) { 466 tar->read_concatenated_archives = (val != NULL && val[0] != 0); 467 return (ARCHIVE_OK); 468 } 469 470 /* Note: The "warn" return is just to inform the options 471 * supervisor that we didn't handle it. It will generate 472 * a suitable error if no one used this option. */ 473 return (ARCHIVE_WARN); 474 } 475 476 /* utility function- this exists to centralize the logic of tracking 477 * how much unconsumed data we have floating around, and to consume 478 * anything outstanding since we're going to do read_aheads 479 */ 480 static int 481 tar_flush_unconsumed(struct archive_read *a, int64_t *unconsumed) 482 { 483 if (*unconsumed) { 484 /* 485 void *data = (void *)__archive_read_ahead(a, *unconsumed, NULL); 486 * this block of code is to poison claimed unconsumed space, ensuring 487 * things break if it is in use still. 488 * currently it WILL break things, so enable it only for debugging this issue 489 if (data) { 490 memset(data, 0xff, *unconsumed); 491 } 492 */ 493 int64_t consumed = __archive_read_consume(a, *unconsumed); 494 if (consumed != *unconsumed) { 495 return (ARCHIVE_FATAL); 496 } 497 *unconsumed = 0; 498 } 499 return (ARCHIVE_OK); 500 } 501 502 /* 503 * The function invoked by archive_read_next_header(). This 504 * just sets up a few things and then calls the internal 505 * tar_read_header() function below. 506 */ 507 static int 508 archive_read_format_tar_read_header(struct archive_read *a, 509 struct archive_entry *entry) 510 { 511 /* 512 * When converting tar archives to cpio archives, it is 513 * essential that each distinct file have a distinct inode 514 * number. To simplify this, we keep a static count here to 515 * assign fake dev/inode numbers to each tar entry. Note that 516 * pax format archives may overwrite this with something more 517 * useful. 518 * 519 * Ideally, we would track every file read from the archive so 520 * that we could assign the same dev/ino pair to hardlinks, 521 * but the memory required to store a complete lookup table is 522 * probably not worthwhile just to support the relatively 523 * obscure tar->cpio conversion case. 524 */ 525 /* TODO: Move this into `struct tar` to avoid conflicts 526 * when reading multiple archives */ 527 static int default_inode; 528 static int default_dev; 529 struct tar *tar; 530 const char *p; 531 const wchar_t *wp; 532 int r; 533 size_t l; 534 int64_t unconsumed = 0; 535 536 /* Assign default device/inode values. */ 537 archive_entry_set_dev(entry, 1 + default_dev); /* Don't use zero. */ 538 archive_entry_set_ino(entry, ++default_inode); /* Don't use zero. */ 539 /* Limit generated st_ino number to 16 bits. */ 540 if (default_inode >= 0xffff) { 541 ++default_dev; 542 default_inode = 0; 543 } 544 545 tar = (struct tar *)(a->format->data); 546 tar->entry_offset = 0; 547 gnu_clear_sparse_list(tar); 548 tar->size_fields = 0; /* We don't have any size info yet */ 549 550 /* Setup default string conversion. */ 551 tar->sconv = tar->opt_sconv; 552 if (tar->sconv == NULL) { 553 if (!tar->init_default_conversion) { 554 tar->sconv_default = 555 archive_string_default_conversion_for_read(&(a->archive)); 556 tar->init_default_conversion = 1; 557 } 558 tar->sconv = tar->sconv_default; 559 } 560 561 r = tar_read_header(a, tar, entry, &unconsumed); 562 563 tar_flush_unconsumed(a, &unconsumed); 564 565 /* 566 * "non-sparse" files are really just sparse files with 567 * a single block. 568 */ 569 if (tar->sparse_list == NULL) { 570 if (gnu_add_sparse_entry(a, tar, 0, tar->entry_bytes_remaining) 571 != ARCHIVE_OK) 572 return (ARCHIVE_FATAL); 573 } else { 574 struct sparse_block *sb; 575 576 for (sb = tar->sparse_list; sb != NULL; sb = sb->next) { 577 if (!sb->hole) 578 archive_entry_sparse_add_entry(entry, 579 sb->offset, sb->remaining); 580 } 581 } 582 583 if (r == ARCHIVE_OK && archive_entry_filetype(entry) == AE_IFREG) { 584 /* 585 * "Regular" entry with trailing '/' is really 586 * directory: This is needed for certain old tar 587 * variants and even for some broken newer ones. 588 */ 589 if ((wp = archive_entry_pathname_w(entry)) != NULL) { 590 l = wcslen(wp); 591 if (l > 0 && wp[l - 1] == L'/') { 592 archive_entry_set_filetype(entry, AE_IFDIR); 593 tar->entry_bytes_remaining = 0; 594 tar->entry_padding = 0; 595 } 596 } else if ((p = archive_entry_pathname(entry)) != NULL) { 597 l = strlen(p); 598 if (l > 0 && p[l - 1] == '/') { 599 archive_entry_set_filetype(entry, AE_IFDIR); 600 tar->entry_bytes_remaining = 0; 601 tar->entry_padding = 0; 602 } 603 } 604 } 605 return (r); 606 } 607 608 static int 609 archive_read_format_tar_read_data(struct archive_read *a, 610 const void **buff, size_t *size, int64_t *offset) 611 { 612 ssize_t bytes_read; 613 struct tar *tar; 614 struct sparse_block *p; 615 616 tar = (struct tar *)(a->format->data); 617 618 for (;;) { 619 /* Remove exhausted entries from sparse list. */ 620 while (tar->sparse_list != NULL && 621 tar->sparse_list->remaining == 0) { 622 p = tar->sparse_list; 623 tar->sparse_list = p->next; 624 free(p); 625 } 626 627 if (tar->entry_bytes_unconsumed) { 628 __archive_read_consume(a, tar->entry_bytes_unconsumed); 629 tar->entry_bytes_unconsumed = 0; 630 } 631 632 /* If we're at end of file, return EOF. */ 633 if (tar->sparse_list == NULL || 634 tar->entry_bytes_remaining == 0) { 635 int64_t request = tar->entry_bytes_remaining + 636 tar->entry_padding; 637 638 if (__archive_read_consume(a, request) != request) 639 return (ARCHIVE_FATAL); 640 tar->entry_padding = 0; 641 *buff = NULL; 642 *size = 0; 643 *offset = tar->disk_size; 644 return (ARCHIVE_EOF); 645 } 646 647 *buff = __archive_read_ahead(a, 1, &bytes_read); 648 if (*buff == NULL) { 649 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 650 "Truncated tar archive" 651 " detected while reading data"); 652 return (ARCHIVE_FATAL); 653 } 654 if (bytes_read > tar->entry_bytes_remaining) 655 bytes_read = (ssize_t)tar->entry_bytes_remaining; 656 /* Don't read more than is available in the 657 * current sparse block. */ 658 if (tar->sparse_list->remaining < bytes_read) 659 bytes_read = (ssize_t)tar->sparse_list->remaining; 660 *size = bytes_read; 661 *offset = tar->sparse_list->offset; 662 tar->sparse_list->remaining -= bytes_read; 663 tar->sparse_list->offset += bytes_read; 664 tar->entry_bytes_remaining -= bytes_read; 665 tar->entry_bytes_unconsumed = bytes_read; 666 667 if (!tar->sparse_list->hole) 668 return (ARCHIVE_OK); 669 /* Current is hole data and skip this. */ 670 } 671 } 672 673 static int 674 archive_read_format_tar_skip(struct archive_read *a) 675 { 676 int64_t request; 677 struct tar* tar; 678 679 tar = (struct tar *)(a->format->data); 680 681 request = tar->entry_bytes_remaining + tar->entry_padding + 682 tar->entry_bytes_unconsumed; 683 684 if (__archive_read_consume(a, request) != request) 685 return (ARCHIVE_FATAL); 686 687 tar->entry_bytes_remaining = 0; 688 tar->entry_bytes_unconsumed = 0; 689 tar->entry_padding = 0; 690 691 /* Free the sparse list. */ 692 gnu_clear_sparse_list(tar); 693 694 return (ARCHIVE_OK); 695 } 696 697 /* 698 * This function resets the accumulated state while reading 699 * a header. 700 */ 701 static void 702 tar_reset_header_state(struct tar *tar) 703 { 704 tar->pax_hdrcharset_utf8 = 1; 705 tar->sparse_gnu_attributes_seen = 0; 706 archive_string_empty(&(tar->entry_gname)); 707 archive_string_empty(&(tar->entry_pathname)); 708 archive_string_empty(&(tar->entry_pathname_override)); 709 archive_string_empty(&(tar->entry_uname)); 710 archive_string_empty(&tar->entry_linkpath); 711 } 712 713 /* 714 * This function reads and interprets all of the headers associated 715 * with a single entry. 716 */ 717 static int 718 tar_read_header(struct archive_read *a, struct tar *tar, 719 struct archive_entry *entry, int64_t *unconsumed) 720 { 721 ssize_t bytes; 722 int err = ARCHIVE_OK, err2; 723 int eof_fatal = 0; /* EOF is okay at some points... */ 724 const char *h; 725 const struct archive_entry_header_ustar *header; 726 const struct archive_entry_header_gnutar *gnuheader; 727 728 /* Bitmask of what header types we've seen. */ 729 int32_t seen_headers = 0; 730 static const int32_t seen_A_header = 1; 731 static const int32_t seen_g_header = 2; 732 static const int32_t seen_K_header = 4; 733 static const int32_t seen_L_header = 8; 734 static const int32_t seen_V_header = 16; 735 static const int32_t seen_x_header = 32; /* Also X */ 736 static const int32_t seen_mac_metadata = 512; 737 738 tar_reset_header_state(tar); 739 740 /* Ensure format is set. */ 741 if (a->archive.archive_format_name == NULL) { 742 a->archive.archive_format = ARCHIVE_FORMAT_TAR; 743 a->archive.archive_format_name = "tar"; 744 } 745 746 /* 747 * TODO: Write global/default pax options into 748 * 'entry' struct here before overwriting with 749 * file-specific options. 750 */ 751 752 /* Loop over all the headers needed for the next entry */ 753 for (;;) { 754 755 /* Find the next valid header record. */ 756 while (1) { 757 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 758 return (ARCHIVE_FATAL); 759 } 760 761 /* Read 512-byte header record */ 762 h = __archive_read_ahead(a, 512, &bytes); 763 if (bytes == 0) { /* EOF at a block boundary. */ 764 if (eof_fatal) { 765 /* We've read a special header already; 766 * if there's no regular header, then this is 767 * a premature EOF. */ 768 archive_set_error(&a->archive, EINVAL, 769 "Damaged tar archive (end-of-archive within a sequence of headers)"); 770 return (ARCHIVE_FATAL); 771 } else { 772 return (ARCHIVE_EOF); 773 } 774 } 775 if (h == NULL) { /* Short block at EOF; this is bad. */ 776 archive_set_error(&a->archive, 777 ARCHIVE_ERRNO_FILE_FORMAT, 778 "Truncated tar archive" 779 " detected while reading next header"); 780 return (ARCHIVE_FATAL); 781 } 782 *unconsumed += 512; 783 784 if (h[0] == 0 && archive_block_is_null(h)) { 785 /* We found a NULL block which indicates end-of-archive */ 786 787 if (tar->read_concatenated_archives) { 788 /* We're ignoring NULL blocks, so keep going. */ 789 continue; 790 } 791 792 /* Try to consume a second all-null record, as well. */ 793 /* If we can't, that's okay. */ 794 tar_flush_unconsumed(a, unconsumed); 795 h = __archive_read_ahead(a, 512, NULL); 796 if (h != NULL && h[0] == 0 && archive_block_is_null(h)) 797 __archive_read_consume(a, 512); 798 799 archive_clear_error(&a->archive); 800 return (ARCHIVE_EOF); 801 } 802 803 /* This is NOT a null block, so it must be a valid header. */ 804 if (!checksum(a, h)) { 805 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 806 return (ARCHIVE_FATAL); 807 } 808 archive_set_error(&a->archive, EINVAL, 809 "Damaged tar archive (bad header checksum)"); 810 /* If we've read some critical information (pax headers, etc) 811 * and _then_ see a bad header, we can't really recover. */ 812 if (eof_fatal) { 813 return (ARCHIVE_FATAL); 814 } else { 815 return (ARCHIVE_RETRY); 816 } 817 } 818 break; 819 } 820 821 /* Determine the format variant. */ 822 header = (const struct archive_entry_header_ustar *)h; 823 switch(header->typeflag[0]) { 824 case 'A': /* Solaris tar ACL */ 825 if (seen_headers & seen_A_header) { 826 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 827 "Redundant 'A' header"); 828 return (ARCHIVE_FATAL); 829 } 830 seen_headers |= seen_A_header; 831 a->archive.archive_format = ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE; 832 a->archive.archive_format_name = "Solaris tar"; 833 err2 = header_Solaris_ACL(a, tar, entry, h, unconsumed); 834 break; 835 case 'g': /* POSIX-standard 'g' header. */ 836 if (seen_headers & seen_g_header) { 837 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 838 "Redundant 'g' header"); 839 return (ARCHIVE_FATAL); 840 } 841 seen_headers |= seen_g_header; 842 a->archive.archive_format = ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE; 843 a->archive.archive_format_name = "POSIX pax interchange format"; 844 err2 = header_pax_global(a, tar, entry, h, unconsumed); 845 break; 846 case 'K': /* Long link name (GNU tar, others) */ 847 if (seen_headers & seen_K_header) { 848 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 849 "Damaged archive: Redundant 'K' headers may cause linknames to be incorrect"); 850 err = err_combine(err, ARCHIVE_WARN); 851 } 852 seen_headers |= seen_K_header; 853 a->archive.archive_format = ARCHIVE_FORMAT_TAR_GNUTAR; 854 a->archive.archive_format_name = "GNU tar format"; 855 err2 = header_gnu_longlink(a, tar, entry, h, unconsumed); 856 break; 857 case 'L': /* Long filename (GNU tar, others) */ 858 if (seen_headers & seen_L_header) { 859 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 860 "Damaged archive: Redundant 'L' headers may cause filenames to be incorrect"); 861 err = err_combine(err, ARCHIVE_WARN); 862 } 863 seen_headers |= seen_L_header; 864 a->archive.archive_format = ARCHIVE_FORMAT_TAR_GNUTAR; 865 a->archive.archive_format_name = "GNU tar format"; 866 err2 = header_gnu_longname(a, tar, entry, h, unconsumed); 867 break; 868 case 'V': /* GNU volume header */ 869 if (seen_headers & seen_V_header) { 870 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 871 "Redundant 'V' header"); 872 err = err_combine(err, ARCHIVE_WARN); 873 } 874 seen_headers |= seen_V_header; 875 a->archive.archive_format = ARCHIVE_FORMAT_TAR_GNUTAR; 876 a->archive.archive_format_name = "GNU tar format"; 877 err2 = header_volume(a, tar, entry, h, unconsumed); 878 break; 879 case 'X': /* Used by SUN tar; same as 'x'. */ 880 if (seen_headers & seen_x_header) { 881 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 882 "Redundant 'X'/'x' header"); 883 return (ARCHIVE_FATAL); 884 } 885 seen_headers |= seen_x_header; 886 a->archive.archive_format = ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE; 887 a->archive.archive_format_name = 888 "POSIX pax interchange format (Sun variant)"; 889 err2 = header_pax_extension(a, tar, entry, h, unconsumed); 890 break; 891 case 'x': /* POSIX-standard 'x' header. */ 892 if (seen_headers & seen_x_header) { 893 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 894 "Redundant 'x' header"); 895 return (ARCHIVE_FATAL); 896 } 897 seen_headers |= seen_x_header; 898 a->archive.archive_format = ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE; 899 a->archive.archive_format_name = "POSIX pax interchange format"; 900 err2 = header_pax_extension(a, tar, entry, h, unconsumed); 901 break; 902 default: /* Regular header: Legacy tar, GNU tar, or ustar */ 903 gnuheader = (const struct archive_entry_header_gnutar *)h; 904 if (memcmp(gnuheader->magic, "ustar \0", 8) == 0) { 905 a->archive.archive_format = ARCHIVE_FORMAT_TAR_GNUTAR; 906 a->archive.archive_format_name = "GNU tar format"; 907 err2 = header_gnutar(a, tar, entry, h, unconsumed); 908 } else if (memcmp(header->magic, "ustar", 5) == 0) { 909 if (a->archive.archive_format != ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE) { 910 a->archive.archive_format = ARCHIVE_FORMAT_TAR_USTAR; 911 a->archive.archive_format_name = "POSIX ustar format"; 912 } 913 err2 = header_ustar(a, tar, entry, h); 914 } else { 915 a->archive.archive_format = ARCHIVE_FORMAT_TAR; 916 a->archive.archive_format_name = "tar (non-POSIX)"; 917 err2 = header_old_tar(a, tar, entry, h); 918 } 919 err = err_combine(err, err2); 920 /* We return warnings or success as-is. Anything else is fatal. */ 921 if (err < ARCHIVE_WARN) { 922 return (ARCHIVE_FATAL); 923 } 924 /* Filename of the form `._filename` is an AppleDouble 925 * extension entry. The body is the macOS metadata blob; 926 * this is followed by another entry with the actual 927 * regular file data. 928 * This design has two drawbacks: 929 * = it's brittle; you might just have a file with such a name 930 * = it duplicates any long pathname extensions 931 * 932 * TODO: This probably shouldn't be here at all. Consider 933 * just returning the contents as a regular entry here and 934 * then dealing with it when we write data to disk. 935 */ 936 if (tar->process_mac_extensions 937 && ((seen_headers & seen_mac_metadata) == 0) 938 && is_mac_metadata_entry(entry)) { 939 err2 = read_mac_metadata_blob(a, entry, unconsumed); 940 if (err2 < ARCHIVE_WARN) { 941 return (ARCHIVE_FATAL); 942 } 943 err = err_combine(err, err2); 944 /* Note: Other headers can appear again. */ 945 seen_headers = seen_mac_metadata; 946 tar_reset_header_state(tar); 947 break; 948 } 949 950 /* Reconcile GNU sparse attributes */ 951 if (tar->sparse_gnu_attributes_seen) { 952 /* Only 'S' (GNU sparse) and ustar '0' regular files can be sparse */ 953 if (tar->filetype != 'S' && tar->filetype != '0') { 954 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 955 "Non-regular file cannot be sparse"); 956 return (ARCHIVE_WARN); 957 } else if (tar->sparse_gnu_major == 0 && 958 tar->sparse_gnu_minor == 0) { 959 /* Sparse map already parsed from 'x' header */ 960 } else if (tar->sparse_gnu_major == 0 && 961 tar->sparse_gnu_minor == 1) { 962 /* Sparse map already parsed from 'x' header */ 963 } else if (tar->sparse_gnu_major == 1 && 964 tar->sparse_gnu_minor == 0) { 965 /* Sparse map is prepended to file contents */ 966 ssize_t bytes_read; 967 bytes_read = gnu_sparse_10_read(a, tar, unconsumed); 968 if (bytes_read < 0) 969 return ((int)bytes_read); 970 tar->entry_bytes_remaining -= bytes_read; 971 } else { 972 archive_set_error(&a->archive, 973 ARCHIVE_ERRNO_MISC, 974 "Unrecognized GNU sparse file format"); 975 return (ARCHIVE_WARN); 976 } 977 } 978 return (err); 979 } 980 981 /* We're between headers ... */ 982 err = err_combine(err, err2); 983 if (err == ARCHIVE_FATAL) 984 return (err); 985 986 /* The GNU volume header and the pax `g` global header 987 * are both allowed to be the only header in an 988 * archive. If we've seen any other header, a 989 * following EOF is fatal. */ 990 if ((seen_headers & ~seen_V_header & ~seen_g_header) != 0) { 991 eof_fatal = 1; 992 } 993 } 994 } 995 996 /* 997 * Return true if block checksum is correct. 998 */ 999 static int 1000 checksum(struct archive_read *a, const void *h) 1001 { 1002 const unsigned char *bytes; 1003 const struct archive_entry_header_ustar *header; 1004 int check, sum; 1005 size_t i; 1006 1007 (void)a; /* UNUSED */ 1008 bytes = (const unsigned char *)h; 1009 header = (const struct archive_entry_header_ustar *)h; 1010 1011 /* Checksum field must hold an octal number */ 1012 for (i = 0; i < sizeof(header->checksum); ++i) { 1013 char c = header->checksum[i]; 1014 if (c != ' ' && c != '\0' && (c < '0' || c > '7')) 1015 return 0; 1016 } 1017 1018 /* 1019 * Test the checksum. Note that POSIX specifies _unsigned_ 1020 * bytes for this calculation. 1021 */ 1022 sum = (int)tar_atol(header->checksum, sizeof(header->checksum)); 1023 check = 0; 1024 for (i = 0; i < 148; i++) 1025 check += (unsigned char)bytes[i]; 1026 for (; i < 156; i++) 1027 check += 32; 1028 for (; i < 512; i++) 1029 check += (unsigned char)bytes[i]; 1030 if (sum == check) 1031 return (1); 1032 1033 /* 1034 * Repeat test with _signed_ bytes, just in case this archive 1035 * was created by an old BSD, Solaris, or HP-UX tar with a 1036 * broken checksum calculation. 1037 */ 1038 check = 0; 1039 for (i = 0; i < 148; i++) 1040 check += (signed char)bytes[i]; 1041 for (; i < 156; i++) 1042 check += 32; 1043 for (; i < 512; i++) 1044 check += (signed char)bytes[i]; 1045 if (sum == check) 1046 return (1); 1047 1048 #if DONT_FAIL_ON_CRC_ERROR 1049 /* Speed up fuzzing by pretending the checksum is always right. */ 1050 return (1); 1051 #else 1052 return (0); 1053 #endif 1054 } 1055 1056 /* 1057 * Return true if this block contains only nulls. 1058 */ 1059 static int 1060 archive_block_is_null(const char *p) 1061 { 1062 unsigned i; 1063 1064 for (i = 0; i < 512; i++) 1065 if (*p++) 1066 return (0); 1067 return (1); 1068 } 1069 1070 /* 1071 * Interpret 'A' Solaris ACL header 1072 */ 1073 static int 1074 header_Solaris_ACL(struct archive_read *a, struct tar *tar, 1075 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1076 { 1077 const struct archive_entry_header_ustar *header; 1078 struct archive_string acl_text; 1079 size_t size; 1080 int err, acl_type; 1081 uint64_t type; 1082 char *acl, *p; 1083 1084 header = (const struct archive_entry_header_ustar *)h; 1085 size = (size_t)tar_atol(header->size, sizeof(header->size)); 1086 archive_string_init(&acl_text); 1087 err = read_body_to_string(a, tar, &acl_text, h, unconsumed); 1088 if (err != ARCHIVE_OK) { 1089 archive_string_free(&acl_text); 1090 return (err); 1091 } 1092 1093 /* TODO: Examine the first characters to see if this 1094 * is an AIX ACL descriptor. We'll likely never support 1095 * them, but it would be polite to recognize and warn when 1096 * we do see them. */ 1097 1098 /* Leading octal number indicates ACL type and number of entries. */ 1099 p = acl = acl_text.s; 1100 type = 0; 1101 while (*p != '\0' && p < acl + size) { 1102 if (*p < '0' || *p > '7') { 1103 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1104 "Malformed Solaris ACL attribute (invalid digit)"); 1105 archive_string_free(&acl_text); 1106 return(ARCHIVE_WARN); 1107 } 1108 type <<= 3; 1109 type += *p - '0'; 1110 if (type > 077777777) { 1111 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1112 "Malformed Solaris ACL attribute (count too large)"); 1113 archive_string_free(&acl_text); 1114 return (ARCHIVE_WARN); 1115 } 1116 p++; 1117 } 1118 switch (type & ~0777777) { 1119 case 01000000: 1120 /* POSIX.1e ACL */ 1121 acl_type = ARCHIVE_ENTRY_ACL_TYPE_ACCESS; 1122 break; 1123 case 03000000: 1124 /* NFSv4 ACL */ 1125 acl_type = ARCHIVE_ENTRY_ACL_TYPE_NFS4; 1126 break; 1127 default: 1128 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1129 "Malformed Solaris ACL attribute (unsupported type %llu)", 1130 (unsigned long long)type); 1131 archive_string_free(&acl_text); 1132 return (ARCHIVE_WARN); 1133 } 1134 p++; 1135 1136 if (p >= acl + size) { 1137 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1138 "Malformed Solaris ACL attribute (body overflow)"); 1139 archive_string_free(&acl_text); 1140 return(ARCHIVE_WARN); 1141 } 1142 1143 /* ACL text is null-terminated; find the end. */ 1144 size -= (p - acl); 1145 acl = p; 1146 1147 while (*p != '\0' && p < acl + size) 1148 p++; 1149 1150 if (tar->sconv_acl == NULL) { 1151 tar->sconv_acl = archive_string_conversion_from_charset( 1152 &(a->archive), "UTF-8", 1); 1153 if (tar->sconv_acl == NULL) { 1154 archive_string_free(&acl_text); 1155 return (ARCHIVE_FATAL); 1156 } 1157 } 1158 archive_strncpy(&(tar->localname), acl, p - acl); 1159 err = archive_acl_from_text_l(archive_entry_acl(entry), 1160 tar->localname.s, acl_type, tar->sconv_acl); 1161 /* Workaround: Force perm_is_set() to be correct */ 1162 /* If this bit were stored in the ACL, this wouldn't be needed */ 1163 archive_entry_set_perm(entry, archive_entry_perm(entry)); 1164 if (err != ARCHIVE_OK) { 1165 if (errno == ENOMEM) { 1166 archive_set_error(&a->archive, ENOMEM, 1167 "Can't allocate memory for ACL"); 1168 } else 1169 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1170 "Malformed Solaris ACL attribute (unparsable)"); 1171 } 1172 archive_string_free(&acl_text); 1173 return (err); 1174 } 1175 1176 /* 1177 * Interpret 'K' long linkname header. 1178 */ 1179 static int 1180 header_gnu_longlink(struct archive_read *a, struct tar *tar, 1181 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1182 { 1183 int err; 1184 1185 struct archive_string linkpath; 1186 archive_string_init(&linkpath); 1187 err = read_body_to_string(a, tar, &linkpath, h, unconsumed); 1188 if (err == ARCHIVE_OK) { 1189 archive_entry_set_link(entry, linkpath.s); 1190 } 1191 archive_string_free(&linkpath); 1192 return (err); 1193 } 1194 1195 static int 1196 set_conversion_failed_error(struct archive_read *a, 1197 struct archive_string_conv *sconv, const char *name) 1198 { 1199 if (errno == ENOMEM) { 1200 archive_set_error(&a->archive, ENOMEM, 1201 "Can't allocate memory for %s", name); 1202 return (ARCHIVE_FATAL); 1203 } 1204 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 1205 "%s can't be converted from %s to current locale", 1206 name, archive_string_conversion_charset_name(sconv)); 1207 return (ARCHIVE_WARN); 1208 } 1209 1210 /* 1211 * Interpret 'L' long filename header. 1212 */ 1213 static int 1214 header_gnu_longname(struct archive_read *a, struct tar *tar, 1215 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1216 { 1217 int err; 1218 struct archive_string longname; 1219 1220 archive_string_init(&longname); 1221 err = read_body_to_string(a, tar, &longname, h, unconsumed); 1222 if (err == ARCHIVE_OK) { 1223 if (archive_entry_copy_pathname_l(entry, longname.s, 1224 archive_strlen(&longname), tar->sconv) != 0) 1225 err = set_conversion_failed_error(a, tar->sconv, "Pathname"); 1226 } 1227 archive_string_free(&longname); 1228 return (err); 1229 } 1230 1231 /* 1232 * Interpret 'V' GNU tar volume header. 1233 */ 1234 static int 1235 header_volume(struct archive_read *a, struct tar *tar, 1236 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1237 { 1238 const struct archive_entry_header_ustar *header; 1239 int64_t size, to_consume; 1240 1241 (void)a; /* UNUSED */ 1242 (void)tar; /* UNUSED */ 1243 (void)entry; /* UNUSED */ 1244 1245 header = (const struct archive_entry_header_ustar *)h; 1246 size = tar_atol(header->size, sizeof(header->size)); 1247 if (size < 0 || size > (int64_t)pathname_limit) { 1248 return (ARCHIVE_FATAL); 1249 } 1250 to_consume = ((size + 511) & ~511); 1251 *unconsumed += to_consume; 1252 return (ARCHIVE_OK); 1253 } 1254 1255 /* 1256 * Read the next `size` bytes into the provided string. 1257 * Null-terminate the string. 1258 */ 1259 static int 1260 read_bytes_to_string(struct archive_read *a, 1261 struct archive_string *as, size_t size, 1262 int64_t *unconsumed) { 1263 const void *src; 1264 1265 /* Fail if we can't make our buffer big enough. */ 1266 if (archive_string_ensure(as, size + 1) == NULL) { 1267 archive_set_error(&a->archive, ENOMEM, 1268 "No memory"); 1269 return (ARCHIVE_FATAL); 1270 } 1271 1272 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 1273 return (ARCHIVE_FATAL); 1274 } 1275 1276 /* Read the body into the string. */ 1277 src = __archive_read_ahead(a, size, NULL); 1278 if (src == NULL) { 1279 archive_set_error(&a->archive, EINVAL, 1280 "Truncated archive" 1281 " detected while reading metadata"); 1282 *unconsumed = 0; 1283 return (ARCHIVE_FATAL); 1284 } 1285 memcpy(as->s, src, size); 1286 as->s[size] = '\0'; 1287 as->length = size; 1288 *unconsumed += size; 1289 return (ARCHIVE_OK); 1290 } 1291 1292 /* 1293 * Read body of an archive entry into an archive_string object. 1294 */ 1295 static int 1296 read_body_to_string(struct archive_read *a, struct tar *tar, 1297 struct archive_string *as, const void *h, int64_t *unconsumed) 1298 { 1299 int64_t size; 1300 const struct archive_entry_header_ustar *header; 1301 int r; 1302 1303 (void)tar; /* UNUSED */ 1304 header = (const struct archive_entry_header_ustar *)h; 1305 size = tar_atol(header->size, sizeof(header->size)); 1306 if (size < 0 || size > entry_limit) { 1307 archive_set_error(&a->archive, EINVAL, 1308 "Special header has invalid size: %lld", 1309 (long long)size); 1310 return (ARCHIVE_FATAL); 1311 } 1312 if (size > (int64_t)pathname_limit) { 1313 archive_string_empty(as); 1314 int64_t to_consume = ((size + 511) & ~511); 1315 if (to_consume != __archive_read_consume(a, to_consume)) { 1316 return (ARCHIVE_FATAL); 1317 } 1318 archive_set_error(&a->archive, EINVAL, 1319 "Special header too large: %lld > 1MiB", 1320 (long long)size); 1321 return (ARCHIVE_WARN); 1322 } 1323 r = read_bytes_to_string(a, as, size, unconsumed); 1324 *unconsumed += 0x1ff & (-size); 1325 return(r); 1326 } 1327 1328 /* 1329 * Parse out common header elements. 1330 * 1331 * This would be the same as header_old_tar, except that the 1332 * filename is handled slightly differently for old and POSIX 1333 * entries (POSIX entries support a 'prefix'). This factoring 1334 * allows header_old_tar and header_ustar 1335 * to handle filenames differently, while still putting most of the 1336 * common parsing into one place. 1337 * 1338 * This is called _after_ ustar, GNU tar, Schily, etc, special 1339 * fields have already been parsed into the `tar` structure. 1340 * So we can make final decisions here about how to reconcile 1341 * size, mode, etc, information. 1342 */ 1343 static int 1344 header_common(struct archive_read *a, struct tar *tar, 1345 struct archive_entry *entry, const void *h) 1346 { 1347 const struct archive_entry_header_ustar *header; 1348 const char *existing_linkpath; 1349 const wchar_t *existing_wcs_linkpath; 1350 int err = ARCHIVE_OK; 1351 1352 header = (const struct archive_entry_header_ustar *)h; 1353 1354 /* Parse out the numeric fields (all are octal) */ 1355 1356 /* Split mode handling: Set filetype always, perm only if not already set */ 1357 archive_entry_set_filetype(entry, 1358 (mode_t)tar_atol(header->mode, sizeof(header->mode))); 1359 if (!archive_entry_perm_is_set(entry)) { 1360 archive_entry_set_perm(entry, 1361 (mode_t)tar_atol(header->mode, sizeof(header->mode))); 1362 } 1363 1364 /* Set uid, gid, mtime if not already set */ 1365 if (!archive_entry_uid_is_set(entry)) { 1366 archive_entry_set_uid(entry, tar_atol(header->uid, sizeof(header->uid))); 1367 } 1368 if (!archive_entry_gid_is_set(entry)) { 1369 archive_entry_set_gid(entry, tar_atol(header->gid, sizeof(header->gid))); 1370 } 1371 if (!archive_entry_mtime_is_set(entry)) { 1372 archive_entry_set_mtime(entry, tar_atol(header->mtime, sizeof(header->mtime)), 0); 1373 } 1374 1375 /* Reconcile the size info. */ 1376 /* First, how big is the file on disk? */ 1377 if ((tar->size_fields & TAR_SIZE_GNU_SPARSE_REALSIZE) != 0) { 1378 /* GNU sparse format 1.0 uses `GNU.sparse.realsize` 1379 * to hold the size of the file on disk. */ 1380 tar->disk_size = tar->GNU_sparse_realsize; 1381 } else if ((tar->size_fields & TAR_SIZE_GNU_SPARSE_SIZE) != 0 1382 && (tar->sparse_gnu_major == 0)) { 1383 /* GNU sparse format 0.0 and 0.1 use `GNU.sparse.size` 1384 * to hold the size of the file on disk. */ 1385 tar->disk_size = tar->GNU_sparse_size; 1386 } else if ((tar->size_fields & TAR_SIZE_SCHILY_SPARSE_REALSIZE) != 0) { 1387 tar->disk_size = tar->SCHILY_sparse_realsize; 1388 } else if ((tar->size_fields & TAR_SIZE_PAX_SIZE) != 0) { 1389 tar->disk_size = tar->pax_size; 1390 } else { 1391 /* There wasn't a suitable pax header, so use the ustar info */ 1392 tar->disk_size = tar_atol(header->size, sizeof(header->size)); 1393 } 1394 1395 if (tar->disk_size < 0) { 1396 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1397 "Tar entry has negative file size"); 1398 return (ARCHIVE_FATAL); 1399 } else if (tar->disk_size > entry_limit) { 1400 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1401 "Tar entry size overflow"); 1402 return (ARCHIVE_FATAL); 1403 } else { 1404 archive_entry_set_size(entry, tar->disk_size); 1405 } 1406 1407 /* Second, how big is the data in the archive? */ 1408 if ((tar->size_fields & TAR_SIZE_GNU_SPARSE_SIZE) != 0 1409 && (tar->sparse_gnu_major == 1)) { 1410 /* GNU sparse format 1.0 uses `GNU.sparse.size` 1411 * to hold the size of the data in the archive. */ 1412 tar->entry_bytes_remaining = tar->GNU_sparse_size; 1413 } else if ((tar->size_fields & TAR_SIZE_PAX_SIZE) != 0) { 1414 tar->entry_bytes_remaining = tar->pax_size; 1415 } else { 1416 tar->entry_bytes_remaining 1417 = tar_atol(header->size, sizeof(header->size)); 1418 } 1419 if (tar->entry_bytes_remaining < 0) { 1420 tar->entry_bytes_remaining = 0; 1421 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1422 "Tar entry has negative size"); 1423 return (ARCHIVE_FATAL); 1424 } else if (tar->entry_bytes_remaining > entry_limit) { 1425 tar->entry_bytes_remaining = 0; 1426 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1427 "Tar entry size overflow"); 1428 return (ARCHIVE_FATAL); 1429 } 1430 1431 /* Handle the tar type flag appropriately. */ 1432 tar->filetype = header->typeflag[0]; 1433 1434 /* 1435 * TODO: If the linkpath came from Pax extension header, then 1436 * we should obey the hdrcharset_utf8 flag when converting these. 1437 */ 1438 switch (tar->filetype) { 1439 case '1': /* Hard link */ 1440 archive_entry_set_link_to_hardlink(entry); 1441 existing_wcs_linkpath = archive_entry_hardlink_w(entry); 1442 existing_linkpath = archive_entry_hardlink(entry); 1443 if ((existing_linkpath == NULL || existing_linkpath[0] == '\0') 1444 && (existing_wcs_linkpath == NULL || existing_wcs_linkpath[0] == '\0')) { 1445 struct archive_string linkpath; 1446 archive_string_init(&linkpath); 1447 archive_strncpy(&linkpath, 1448 header->linkname, sizeof(header->linkname)); 1449 if (archive_entry_copy_hardlink_l(entry, linkpath.s, 1450 archive_strlen(&linkpath), tar->sconv) != 0) { 1451 err = set_conversion_failed_error(a, tar->sconv, 1452 "Linkname"); 1453 if (err == ARCHIVE_FATAL) { 1454 archive_string_free(&linkpath); 1455 return (err); 1456 } 1457 } 1458 archive_string_free(&linkpath); 1459 } 1460 /* 1461 * The following may seem odd, but: Technically, tar 1462 * does not store the file type for a "hard link" 1463 * entry, only the fact that it is a hard link. So, I 1464 * leave the type zero normally. But, pax interchange 1465 * format allows hard links to have data, which 1466 * implies that the underlying entry is a regular 1467 * file. 1468 */ 1469 if (archive_entry_size(entry) > 0) 1470 archive_entry_set_filetype(entry, AE_IFREG); 1471 1472 /* 1473 * A tricky point: Traditionally, tar readers have 1474 * ignored the size field when reading hardlink 1475 * entries, and some writers put non-zero sizes even 1476 * though the body is empty. POSIX blessed this 1477 * convention in the 1988 standard, but broke with 1478 * this tradition in 2001 by permitting hardlink 1479 * entries to store valid bodies in pax interchange 1480 * format, but not in ustar format. Since there is no 1481 * hard and fast way to distinguish pax interchange 1482 * from earlier archives (the 'x' and 'g' entries are 1483 * optional, after all), we need a heuristic. 1484 */ 1485 if (archive_entry_size(entry) == 0) { 1486 /* If the size is already zero, we're done. */ 1487 } else if (a->archive.archive_format 1488 == ARCHIVE_FORMAT_TAR_PAX_INTERCHANGE) { 1489 /* Definitely pax extended; must obey hardlink size. */ 1490 } else if (a->archive.archive_format == ARCHIVE_FORMAT_TAR 1491 || a->archive.archive_format == ARCHIVE_FORMAT_TAR_GNUTAR) 1492 { 1493 /* Old-style or GNU tar: we must ignore the size. */ 1494 archive_entry_set_size(entry, 0); 1495 tar->entry_bytes_remaining = 0; 1496 } else if (archive_read_format_tar_bid(a, 50) > 50) { 1497 /* 1498 * We don't know if it's pax: If the bid 1499 * function sees a valid ustar header 1500 * immediately following, then let's ignore 1501 * the hardlink size. 1502 */ 1503 archive_entry_set_size(entry, 0); 1504 tar->entry_bytes_remaining = 0; 1505 } 1506 /* 1507 * TODO: There are still two cases I'd like to handle: 1508 * = a ustar non-pax archive with a hardlink entry at 1509 * end-of-archive. (Look for block of nulls following?) 1510 * = a pax archive that has not seen any pax headers 1511 * and has an entry which is a hardlink entry storing 1512 * a body containing an uncompressed tar archive. 1513 * The first is worth addressing; I don't see any reliable 1514 * way to deal with the second possibility. 1515 */ 1516 break; 1517 case '2': /* Symlink */ 1518 archive_entry_set_link_to_symlink(entry); 1519 existing_wcs_linkpath = archive_entry_symlink_w(entry); 1520 existing_linkpath = archive_entry_symlink(entry); 1521 if ((existing_linkpath == NULL || existing_linkpath[0] == '\0') 1522 && (existing_wcs_linkpath == NULL || existing_wcs_linkpath[0] == '\0')) { 1523 struct archive_string linkpath; 1524 archive_string_init(&linkpath); 1525 archive_strncpy(&linkpath, 1526 header->linkname, sizeof(header->linkname)); 1527 if (archive_entry_copy_symlink_l(entry, linkpath.s, 1528 archive_strlen(&linkpath), tar->sconv) != 0) { 1529 err = set_conversion_failed_error(a, tar->sconv, 1530 "Linkname"); 1531 if (err == ARCHIVE_FATAL) { 1532 archive_string_free(&linkpath); 1533 return (err); 1534 } 1535 } 1536 archive_string_free(&linkpath); 1537 } 1538 archive_entry_set_filetype(entry, AE_IFLNK); 1539 archive_entry_set_size(entry, 0); 1540 tar->entry_bytes_remaining = 0; 1541 break; 1542 case '3': /* Character device */ 1543 archive_entry_set_filetype(entry, AE_IFCHR); 1544 archive_entry_set_size(entry, 0); 1545 tar->entry_bytes_remaining = 0; 1546 break; 1547 case '4': /* Block device */ 1548 archive_entry_set_filetype(entry, AE_IFBLK); 1549 archive_entry_set_size(entry, 0); 1550 tar->entry_bytes_remaining = 0; 1551 break; 1552 case '5': /* Dir */ 1553 archive_entry_set_filetype(entry, AE_IFDIR); 1554 archive_entry_set_size(entry, 0); 1555 tar->entry_bytes_remaining = 0; 1556 break; 1557 case '6': /* FIFO device */ 1558 archive_entry_set_filetype(entry, AE_IFIFO); 1559 archive_entry_set_size(entry, 0); 1560 tar->entry_bytes_remaining = 0; 1561 break; 1562 case 'D': /* GNU incremental directory type */ 1563 /* 1564 * No special handling is actually required here. 1565 * It might be nice someday to preprocess the file list and 1566 * provide it to the client, though. 1567 */ 1568 archive_entry_set_filetype(entry, AE_IFDIR); 1569 break; 1570 case 'M': /* GNU "Multi-volume" (remainder of file from last archive)*/ 1571 /* 1572 * As far as I can tell, this is just like a regular file 1573 * entry, except that the contents should be _appended_ to 1574 * the indicated file at the indicated offset. This may 1575 * require some API work to fully support. 1576 */ 1577 break; 1578 case 'N': /* Old GNU "long filename" entry. */ 1579 /* The body of this entry is a script for renaming 1580 * previously-extracted entries. Ugh. It will never 1581 * be supported by libarchive. */ 1582 archive_entry_set_filetype(entry, AE_IFREG); 1583 break; 1584 case 'S': /* GNU sparse files */ 1585 /* 1586 * Sparse files are really just regular files with 1587 * sparse information in the extended area. 1588 */ 1589 /* FALLTHROUGH */ 1590 case '0': /* ustar "regular" file */ 1591 /* FALLTHROUGH */ 1592 default: /* Non-standard file types */ 1593 /* 1594 * Per POSIX: non-recognized types should always be 1595 * treated as regular files. 1596 */ 1597 archive_entry_set_filetype(entry, AE_IFREG); 1598 break; 1599 } 1600 return (err); 1601 } 1602 1603 /* 1604 * Parse out header elements for "old-style" tar archives. 1605 */ 1606 static int 1607 header_old_tar(struct archive_read *a, struct tar *tar, 1608 struct archive_entry *entry, const void *h) 1609 { 1610 const struct archive_entry_header_ustar *header; 1611 int err = ARCHIVE_OK, err2; 1612 1613 /* 1614 * Copy filename over (to ensure null termination). 1615 * Skip if pathname was already set e.g. by header_gnu_longname() 1616 */ 1617 header = (const struct archive_entry_header_ustar *)h; 1618 1619 const char *existing_pathname = archive_entry_pathname(entry); 1620 const wchar_t *existing_wcs_pathname = archive_entry_pathname_w(entry); 1621 if ((existing_pathname == NULL || existing_pathname[0] == '\0') 1622 && (existing_wcs_pathname == NULL || existing_wcs_pathname[0] == '\0') && 1623 archive_entry_copy_pathname_l(entry, 1624 header->name, sizeof(header->name), tar->sconv) != 0) { 1625 err = set_conversion_failed_error(a, tar->sconv, "Pathname"); 1626 if (err == ARCHIVE_FATAL) 1627 return (err); 1628 } 1629 1630 /* Grab rest of common fields */ 1631 err2 = header_common(a, tar, entry, h); 1632 if (err > err2) 1633 err = err2; 1634 1635 tar->entry_padding = 0x1ff & (-tar->entry_bytes_remaining); 1636 return (err); 1637 } 1638 1639 /* 1640 * Is this likely an AppleDouble extension? 1641 */ 1642 static int 1643 is_mac_metadata_entry(struct archive_entry *entry) { 1644 const char *p, *name; 1645 const wchar_t *wp, *wname; 1646 1647 wname = wp = archive_entry_pathname_w(entry); 1648 if (wp != NULL) { 1649 /* Find the last path element. */ 1650 for (; *wp != L'\0'; ++wp) { 1651 if (wp[0] == '/' && wp[1] != L'\0') 1652 wname = wp + 1; 1653 } 1654 /* 1655 * If last path element starts with "._", then 1656 * this is a Mac extension. 1657 */ 1658 if (wname[0] == L'.' && wname[1] == L'_' && wname[2] != L'\0') 1659 return 1; 1660 } else { 1661 /* Find the last path element. */ 1662 name = p = archive_entry_pathname(entry); 1663 if (p == NULL) 1664 return (ARCHIVE_FAILED); 1665 for (; *p != '\0'; ++p) { 1666 if (p[0] == '/' && p[1] != '\0') 1667 name = p + 1; 1668 } 1669 /* 1670 * If last path element starts with "._", then 1671 * this is a Mac extension. 1672 */ 1673 if (name[0] == '.' && name[1] == '_' && name[2] != '\0') 1674 return 1; 1675 } 1676 /* Not a mac extension */ 1677 return 0; 1678 } 1679 1680 /* 1681 * Read a Mac AppleDouble-encoded blob of file metadata, 1682 * if there is one. 1683 * 1684 * TODO: In Libarchive 4, we should consider ripping this 1685 * out -- instead, return a file starting with `._` as 1686 * a regular file and let the client (or archive_write logic) 1687 * handle it. 1688 */ 1689 static int 1690 read_mac_metadata_blob(struct archive_read *a, 1691 struct archive_entry *entry, int64_t *unconsumed) 1692 { 1693 int64_t size; 1694 size_t msize; 1695 const void *data; 1696 1697 /* Read the body as a Mac OS metadata blob. */ 1698 size = archive_entry_size(entry); 1699 msize = (size_t)size; 1700 if (size < 0 || (uintmax_t)msize != (uintmax_t)size) { 1701 *unconsumed = 0; 1702 return (ARCHIVE_FATAL); 1703 } 1704 1705 /* TODO: Should this merely skip the overlarge entry and 1706 * WARN? Or is xattr_limit sufficiently large that we can 1707 * safely assume anything larger is malicious? */ 1708 if (size > (int64_t)xattr_limit) { 1709 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1710 "Oversized AppleDouble extension has size %llu > %llu", 1711 (unsigned long long)size, 1712 (unsigned long long)xattr_limit); 1713 return (ARCHIVE_FATAL); 1714 } 1715 1716 /* 1717 * TODO: Look beyond the body here to peek at the next header. 1718 * If it's a regular header (not an extension header) 1719 * that has the wrong name, just return the current 1720 * entry as-is, without consuming the body here. 1721 * That would reduce the risk of us mis-identifying 1722 * an ordinary file that just happened to have 1723 * a name starting with "._". 1724 * 1725 * Q: Is the above idea really possible? Even 1726 * when there are GNU or pax extension entries? 1727 */ 1728 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 1729 return (ARCHIVE_FATAL); 1730 } 1731 data = __archive_read_ahead(a, msize, NULL); 1732 if (data == NULL) { 1733 archive_set_error(&a->archive, EINVAL, 1734 "Truncated archive" 1735 " detected while reading macOS metadata"); 1736 *unconsumed = 0; 1737 return (ARCHIVE_FATAL); 1738 } 1739 archive_entry_clear(entry); 1740 archive_entry_copy_mac_metadata(entry, data, msize); 1741 *unconsumed = (msize + 511) & ~ 511; 1742 return (ARCHIVE_OK); 1743 } 1744 1745 /* 1746 * Parse a file header for a pax extended archive entry. 1747 */ 1748 static int 1749 header_pax_global(struct archive_read *a, struct tar *tar, 1750 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1751 { 1752 const struct archive_entry_header_ustar *header; 1753 int64_t size, to_consume; 1754 1755 (void)a; /* UNUSED */ 1756 (void)tar; /* UNUSED */ 1757 (void)entry; /* UNUSED */ 1758 1759 header = (const struct archive_entry_header_ustar *)h; 1760 size = tar_atol(header->size, sizeof(header->size)); 1761 if (size < 0 || size > entry_limit) { 1762 archive_set_error(&a->archive, EINVAL, 1763 "Special header has invalid size: %lld", 1764 (long long)size); 1765 return (ARCHIVE_FATAL); 1766 } 1767 to_consume = ((size + 511) & ~511); 1768 *unconsumed += to_consume; 1769 return (ARCHIVE_OK); 1770 } 1771 1772 /* 1773 * Parse a file header for a Posix "ustar" archive entry. This also 1774 * handles "pax" or "extended ustar" entries. 1775 * 1776 * In order to correctly handle pax attributes (which precede this), 1777 * we have to skip parsing any field for which the entry already has 1778 * contents. 1779 */ 1780 static int 1781 header_ustar(struct archive_read *a, struct tar *tar, 1782 struct archive_entry *entry, const void *h) 1783 { 1784 const struct archive_entry_header_ustar *header; 1785 struct archive_string as; 1786 int err = ARCHIVE_OK, r; 1787 1788 header = (const struct archive_entry_header_ustar *)h; 1789 1790 /* Copy name into an internal buffer to ensure null-termination. */ 1791 const char *existing_pathname = archive_entry_pathname(entry); 1792 const wchar_t *existing_wcs_pathname = archive_entry_pathname_w(entry); 1793 if ((existing_pathname == NULL || existing_pathname[0] == '\0') 1794 && (existing_wcs_pathname == NULL || existing_wcs_pathname[0] == '\0')) { 1795 archive_string_init(&as); 1796 if (header->prefix[0]) { 1797 archive_strncpy(&as, header->prefix, sizeof(header->prefix)); 1798 if (as.s[archive_strlen(&as) - 1] != '/') 1799 archive_strappend_char(&as, '/'); 1800 archive_strncat(&as, header->name, sizeof(header->name)); 1801 } else { 1802 archive_strncpy(&as, header->name, sizeof(header->name)); 1803 } 1804 if (archive_entry_copy_pathname_l(entry, as.s, archive_strlen(&as), 1805 tar->sconv) != 0) { 1806 err = set_conversion_failed_error(a, tar->sconv, "Pathname"); 1807 if (err == ARCHIVE_FATAL) 1808 return (err); 1809 } 1810 archive_string_free(&as); 1811 } 1812 1813 /* Handle rest of common fields. */ 1814 r = header_common(a, tar, entry, h); 1815 if (r == ARCHIVE_FATAL) 1816 return (r); 1817 if (r < err) 1818 err = r; 1819 1820 /* Handle POSIX ustar fields. */ 1821 const char *existing_uname = archive_entry_uname(entry); 1822 if (existing_uname == NULL || existing_uname[0] == '\0') { 1823 if (archive_entry_copy_uname_l(entry, 1824 header->uname, sizeof(header->uname), tar->sconv) != 0) { 1825 err = set_conversion_failed_error(a, tar->sconv, "Uname"); 1826 if (err == ARCHIVE_FATAL) 1827 return (err); 1828 } 1829 } 1830 1831 const char *existing_gname = archive_entry_gname(entry); 1832 if (existing_gname == NULL || existing_gname[0] == '\0') { 1833 if (archive_entry_copy_gname_l(entry, 1834 header->gname, sizeof(header->gname), tar->sconv) != 0) { 1835 err = set_conversion_failed_error(a, tar->sconv, "Gname"); 1836 if (err == ARCHIVE_FATAL) 1837 return (err); 1838 } 1839 } 1840 1841 /* Parse out device numbers only for char and block specials. */ 1842 if (header->typeflag[0] == '3' || header->typeflag[0] == '4') { 1843 if (!archive_entry_rdev_is_set(entry)) { 1844 archive_entry_set_rdevmajor(entry, (dev_t) 1845 tar_atol(header->rdevmajor, sizeof(header->rdevmajor))); 1846 archive_entry_set_rdevminor(entry, (dev_t) 1847 tar_atol(header->rdevminor, sizeof(header->rdevminor))); 1848 } 1849 } else { 1850 archive_entry_set_rdev(entry, 0); 1851 } 1852 1853 tar->entry_padding = 0x1ff & (-tar->entry_bytes_remaining); 1854 1855 return (err); 1856 } 1857 1858 static int 1859 header_pax_extension(struct archive_read *a, struct tar *tar, 1860 struct archive_entry *entry, const void *h, int64_t *unconsumed) 1861 { 1862 /* Sanity checks: The largest `x` body I've ever heard of was 1863 * a little over 4MB. So I doubt there has ever been a 1864 * well-formed archive with an `x` body over 1GiB. Similarly, 1865 * it seems plausible that no single attribute has ever been 1866 * larger than 100MB. So if we see a larger value here, it's 1867 * almost certainly a sign of a corrupted/malicious archive. */ 1868 1869 /* Maximum sane size for extension body: 1 GiB */ 1870 /* This cannot be raised to larger than 8GiB without 1871 * exceeding the maximum size for a standard ustar 1872 * entry. */ 1873 const int64_t ext_size_limit = 1024 * 1024 * (int64_t)1024; 1874 /* Maximum size for a single line/attr: 100 million characters */ 1875 /* This cannot be raised to more than 2GiB without exceeding 1876 * a `size_t` on 32-bit platforms. */ 1877 const size_t max_parsed_line_length = 99999999ULL; 1878 /* Largest attribute prolog: size + name. */ 1879 const size_t max_size_name = 512; 1880 1881 /* Size and padding of the full extension body */ 1882 int64_t ext_size, ext_padding; 1883 size_t line_length, value_length, name_length; 1884 ssize_t to_read, did_read; 1885 const struct archive_entry_header_ustar *header; 1886 const char *p, *attr_start, *name_start; 1887 struct archive_string_conv *sconv; 1888 struct archive_string *pas = NULL; 1889 struct archive_string attr_name; 1890 int err = ARCHIVE_OK, r; 1891 1892 header = (const struct archive_entry_header_ustar *)h; 1893 ext_size = tar_atol(header->size, sizeof(header->size)); 1894 if (ext_size > entry_limit) { 1895 return (ARCHIVE_FATAL); 1896 } 1897 if (ext_size < 0) { 1898 archive_set_error(&a->archive, EINVAL, 1899 "pax extension header has invalid size: %lld", 1900 (long long)ext_size); 1901 return (ARCHIVE_FATAL); 1902 } 1903 1904 ext_padding = 0x1ff & (-ext_size); 1905 if (ext_size > ext_size_limit) { 1906 /* Consume the pax extension body and return an error */ 1907 if (ext_size + ext_padding != __archive_read_consume(a, ext_size + ext_padding)) { 1908 return (ARCHIVE_FATAL); 1909 } 1910 archive_set_error(&a->archive, EINVAL, 1911 "Ignoring oversized pax extensions: %lld > %lld", 1912 (long long)ext_size, (long long)ext_size_limit); 1913 return (ARCHIVE_WARN); 1914 } 1915 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 1916 return (ARCHIVE_FATAL); 1917 } 1918 1919 /* Parse the size/name of each pax attribute in the body */ 1920 archive_string_init(&attr_name); 1921 while (ext_size > 0) { 1922 /* Read enough bytes to parse the size/name of the next attribute */ 1923 to_read = max_size_name; 1924 if (to_read > ext_size) { 1925 to_read = ext_size; 1926 } 1927 p = __archive_read_ahead(a, to_read, &did_read); 1928 if (p == NULL) { /* EOF */ 1929 archive_set_error(&a->archive, EINVAL, 1930 "Truncated tar archive" 1931 " detected while reading pax attribute name"); 1932 return (ARCHIVE_FATAL); 1933 } 1934 if (did_read > ext_size) { 1935 did_read = ext_size; 1936 } 1937 1938 /* Parse size of attribute */ 1939 line_length = 0; 1940 attr_start = p; 1941 while (1) { 1942 if (p >= attr_start + did_read) { 1943 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1944 "Ignoring malformed pax attributes: overlarge attribute size field"); 1945 *unconsumed += ext_size + ext_padding; 1946 return (ARCHIVE_WARN); 1947 } 1948 if (*p == ' ') { 1949 p++; 1950 break; 1951 } 1952 if (*p < '0' || *p > '9') { 1953 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1954 "Ignoring malformed pax attributes: malformed attribute size field"); 1955 *unconsumed += ext_size + ext_padding; 1956 return (ARCHIVE_WARN); 1957 } 1958 line_length *= 10; 1959 line_length += *p - '0'; 1960 if (line_length > max_parsed_line_length) { 1961 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1962 "Ignoring malformed pax attribute: size > %lld", 1963 (long long)max_parsed_line_length); 1964 *unconsumed += ext_size + ext_padding; 1965 return (ARCHIVE_WARN); 1966 } 1967 p++; 1968 } 1969 1970 if ((int64_t)line_length > ext_size) { 1971 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1972 "Ignoring malformed pax attribute: %lld > %lld", 1973 (long long)line_length, (long long)ext_size); 1974 *unconsumed += ext_size + ext_padding; 1975 return (ARCHIVE_WARN); 1976 } 1977 1978 /* Parse name of attribute */ 1979 if (p >= attr_start + did_read 1980 || p >= attr_start + line_length 1981 || *p == '=') { 1982 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1983 "Ignoring malformed pax attributes: empty name found"); 1984 *unconsumed += ext_size + ext_padding; 1985 return (ARCHIVE_WARN); 1986 } 1987 name_start = p; 1988 while (1) { 1989 if (p >= attr_start + did_read || p >= attr_start + line_length) { 1990 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 1991 "Ignoring malformed pax attributes: overlarge attribute name"); 1992 *unconsumed += ext_size + ext_padding; 1993 return (ARCHIVE_WARN); 1994 } 1995 if (*p == '=') { 1996 break; 1997 } 1998 p++; 1999 } 2000 name_length = p - name_start; 2001 p++; // Skip '=' 2002 2003 // Save the name before we consume it 2004 archive_strncpy(&attr_name, name_start, name_length); 2005 2006 ext_size -= p - attr_start; 2007 value_length = line_length - (p - attr_start); 2008 2009 /* Consume size, name, and `=` */ 2010 *unconsumed += p - attr_start; 2011 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 2012 return (ARCHIVE_FATAL); 2013 } 2014 2015 if (value_length == 0) { 2016 archive_set_error(&a->archive, EINVAL, 2017 "Malformed pax attributes"); 2018 *unconsumed += ext_size + ext_padding; 2019 return (ARCHIVE_WARN); 2020 } 2021 2022 /* pax_attribute will consume value_length - 1 */ 2023 r = pax_attribute(a, tar, entry, attr_name.s, archive_strlen(&attr_name), value_length - 1, unconsumed); 2024 ext_size -= value_length - 1; 2025 2026 // Release the allocated attr_name (either here or before every return in this function) 2027 archive_string_free(&attr_name); 2028 2029 if (r < ARCHIVE_WARN) { 2030 *unconsumed += ext_size + ext_padding; 2031 return (r); 2032 } 2033 err = err_combine(err, r); 2034 2035 /* Consume the `\n` that follows the pax attribute value. */ 2036 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 2037 return (ARCHIVE_FATAL); 2038 } 2039 p = __archive_read_ahead(a, 1, &did_read); 2040 if (p == NULL) { 2041 archive_set_error(&a->archive, EINVAL, 2042 "Truncated tar archive" 2043 " detected while completing pax attribute"); 2044 return (ARCHIVE_FATAL); 2045 } 2046 if (p[0] != '\n') { 2047 archive_set_error(&a->archive, EINVAL, 2048 "Malformed pax attributes"); 2049 *unconsumed += ext_size + ext_padding; 2050 return (ARCHIVE_WARN); 2051 } 2052 ext_size -= 1; 2053 *unconsumed += 1; 2054 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 2055 return (ARCHIVE_FATAL); 2056 } 2057 } 2058 *unconsumed += ext_size + ext_padding; 2059 2060 /* 2061 * Some PAX values -- pathname, linkpath, uname, gname -- 2062 * can't be copied into the entry until we know the character 2063 * set to use: 2064 */ 2065 if (!tar->pax_hdrcharset_utf8) 2066 /* PAX specified "BINARY", so use the default charset */ 2067 sconv = tar->opt_sconv; 2068 else { 2069 /* PAX default UTF-8 */ 2070 sconv = archive_string_conversion_from_charset( 2071 &(a->archive), "UTF-8", 1); 2072 if (sconv == NULL) 2073 return (ARCHIVE_FATAL); 2074 if (tar->compat_2x) 2075 archive_string_conversion_set_opt(sconv, 2076 SCONV_SET_OPT_UTF8_LIBARCHIVE2X); 2077 } 2078 2079 /* Pathname */ 2080 pas = NULL; 2081 if (archive_strlen(&(tar->entry_pathname_override)) > 0) { 2082 /* Prefer GNU.sparse.name attribute if present */ 2083 /* GNU sparse files store a fake name under the standard 2084 * "pathname" key. */ 2085 pas = &(tar->entry_pathname_override); 2086 } else if (archive_strlen(&(tar->entry_pathname)) > 0) { 2087 /* Use standard "pathname" PAX extension */ 2088 pas = &(tar->entry_pathname); 2089 } 2090 if (pas != NULL) { 2091 if (archive_entry_copy_pathname_l(entry, pas->s, 2092 archive_strlen(pas), sconv) != 0) { 2093 err = set_conversion_failed_error(a, sconv, "Pathname"); 2094 if (err == ARCHIVE_FATAL) 2095 return (err); 2096 /* Use raw name without conversion */ 2097 archive_entry_copy_pathname(entry, pas->s); 2098 } 2099 } 2100 /* Uname */ 2101 if (archive_strlen(&(tar->entry_uname)) > 0) { 2102 if (archive_entry_copy_uname_l(entry, tar->entry_uname.s, 2103 archive_strlen(&(tar->entry_uname)), sconv) != 0) { 2104 err = set_conversion_failed_error(a, sconv, "Uname"); 2105 if (err == ARCHIVE_FATAL) 2106 return (err); 2107 /* Use raw name without conversion */ 2108 archive_entry_copy_uname(entry, tar->entry_uname.s); 2109 } 2110 } 2111 /* Gname */ 2112 if (archive_strlen(&(tar->entry_gname)) > 0) { 2113 if (archive_entry_copy_gname_l(entry, tar->entry_gname.s, 2114 archive_strlen(&(tar->entry_gname)), sconv) != 0) { 2115 err = set_conversion_failed_error(a, sconv, "Gname"); 2116 if (err == ARCHIVE_FATAL) 2117 return (err); 2118 /* Use raw name without conversion */ 2119 archive_entry_copy_gname(entry, tar->entry_gname.s); 2120 } 2121 } 2122 /* Linkpath */ 2123 if (archive_strlen(&(tar->entry_linkpath)) > 0) { 2124 if (archive_entry_copy_link_l(entry, tar->entry_linkpath.s, 2125 archive_strlen(&(tar->entry_linkpath)), sconv) != 0) { 2126 err = set_conversion_failed_error(a, sconv, "Linkpath"); 2127 if (err == ARCHIVE_FATAL) 2128 return (err); 2129 /* Use raw name without conversion */ 2130 archive_entry_copy_link(entry, tar->entry_linkpath.s); 2131 } 2132 } 2133 2134 /* Extension may have given us a corrected `entry_bytes_remaining` for 2135 * the main entry; update the padding appropriately. */ 2136 tar->entry_padding = 0x1ff & (-tar->entry_bytes_remaining); 2137 return (err); 2138 } 2139 2140 static int 2141 pax_attribute_LIBARCHIVE_xattr(struct archive_entry *entry, 2142 const char *name, size_t name_length, const char *value, size_t value_length) 2143 { 2144 char *name_decoded; 2145 void *value_decoded; 2146 size_t value_len; 2147 2148 if (name_length < 1) 2149 return 3; 2150 2151 /* URL-decode name */ 2152 name_decoded = url_decode(name, name_length); 2153 if (name_decoded == NULL) 2154 return 2; 2155 2156 /* Base-64 decode value */ 2157 value_decoded = base64_decode(value, value_length, &value_len); 2158 if (value_decoded == NULL) { 2159 free(name_decoded); 2160 return 1; 2161 } 2162 2163 archive_entry_xattr_add_entry(entry, name_decoded, 2164 value_decoded, value_len); 2165 2166 free(name_decoded); 2167 free(value_decoded); 2168 return 0; 2169 } 2170 2171 static int 2172 pax_attribute_SCHILY_xattr(struct archive_entry *entry, 2173 const char *name, size_t name_length, const char *value, size_t value_length) 2174 { 2175 if (name_length < 1 || name_length > 128) { 2176 return 1; 2177 } 2178 2179 char * null_terminated_name = malloc(name_length + 1); 2180 if (null_terminated_name != NULL) { 2181 memcpy(null_terminated_name, name, name_length); 2182 null_terminated_name[name_length] = '\0'; 2183 archive_entry_xattr_add_entry(entry, null_terminated_name, value, value_length); 2184 free(null_terminated_name); 2185 } 2186 2187 return 0; 2188 } 2189 2190 static int 2191 pax_attribute_RHT_security_selinux(struct archive_entry *entry, 2192 const char *value, size_t value_length) 2193 { 2194 archive_entry_xattr_add_entry(entry, "security.selinux", 2195 value, value_length); 2196 2197 return 0; 2198 } 2199 2200 static int 2201 pax_attribute_SCHILY_acl(struct archive_read *a, struct tar *tar, 2202 struct archive_entry *entry, size_t value_length, int type) 2203 { 2204 int r; 2205 const char *p; 2206 const char* errstr; 2207 2208 switch (type) { 2209 case ARCHIVE_ENTRY_ACL_TYPE_ACCESS: 2210 errstr = "SCHILY.acl.access"; 2211 break; 2212 case ARCHIVE_ENTRY_ACL_TYPE_DEFAULT: 2213 errstr = "SCHILY.acl.default"; 2214 break; 2215 case ARCHIVE_ENTRY_ACL_TYPE_NFS4: 2216 errstr = "SCHILY.acl.ace"; 2217 break; 2218 default: 2219 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2220 "Unknown ACL type: %d", type); 2221 return(ARCHIVE_FATAL); 2222 } 2223 2224 if (tar->sconv_acl == NULL) { 2225 tar->sconv_acl = 2226 archive_string_conversion_from_charset( 2227 &(a->archive), "UTF-8", 1); 2228 if (tar->sconv_acl == NULL) 2229 return (ARCHIVE_FATAL); 2230 } 2231 2232 if (value_length > acl_limit) { 2233 __archive_read_consume(a, value_length); 2234 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2235 "Unreasonably large ACL: %llu > %llu", 2236 (unsigned long long)value_length, 2237 (unsigned long long)acl_limit); 2238 return (ARCHIVE_WARN); 2239 } 2240 2241 p = __archive_read_ahead(a, value_length, NULL); 2242 if (p == NULL) { 2243 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 2244 "Truncated tar archive " 2245 "detected while reading ACL data"); 2246 return (ARCHIVE_FATAL); 2247 } 2248 2249 r = archive_acl_from_text_nl(archive_entry_acl(entry), p, value_length, 2250 type, tar->sconv_acl); 2251 __archive_read_consume(a, value_length); 2252 /* Workaround: Force perm_is_set() to be correct */ 2253 /* If this bit were stored in the ACL, this wouldn't be needed */ 2254 archive_entry_set_perm(entry, archive_entry_perm(entry)); 2255 if (r != ARCHIVE_OK) { 2256 if (r == ARCHIVE_FATAL) { 2257 archive_set_error(&a->archive, ENOMEM, 2258 "%s %s", "Can't allocate memory for", 2259 errstr); 2260 return (r); 2261 } 2262 archive_set_error(&a->archive, 2263 ARCHIVE_ERRNO_MISC, "%s %s", "Parse error:", errstr); 2264 } 2265 return (r); 2266 } 2267 2268 static int 2269 pax_attribute_read_time(struct archive_read *a, size_t value_length, int64_t *ps, long *pn, int64_t *unconsumed) { 2270 struct archive_string as; 2271 int r; 2272 2273 if (value_length > 128) { 2274 __archive_read_consume(a, value_length); 2275 *ps = 0; 2276 *pn = 0; 2277 return (ARCHIVE_FATAL); 2278 } 2279 2280 archive_string_init(&as); 2281 r = read_bytes_to_string(a, &as, value_length, unconsumed); 2282 if (r < ARCHIVE_OK) { 2283 archive_string_free(&as); 2284 *ps = 0; 2285 *pn = 0; 2286 return (r); 2287 } 2288 2289 pax_time(as.s, archive_strlen(&as), ps, pn); 2290 archive_string_free(&as); 2291 if (*ps == INT64_MIN) { 2292 *ps = 0; 2293 *pn = 0; 2294 return (ARCHIVE_WARN); 2295 } 2296 return (ARCHIVE_OK); 2297 } 2298 2299 static int 2300 pax_attribute_read_number(struct archive_read *a, size_t value_length, int64_t *result) { 2301 struct archive_string as; 2302 int64_t unconsumed = 0; 2303 int r; 2304 2305 if (value_length > 64) { 2306 __archive_read_consume(a, value_length); 2307 *result = 0; 2308 return (ARCHIVE_FATAL); 2309 } 2310 2311 archive_string_init(&as); 2312 r = read_bytes_to_string(a, &as, value_length, &unconsumed); 2313 if (tar_flush_unconsumed(a, &unconsumed) != ARCHIVE_OK) { 2314 *result = 0; 2315 return (ARCHIVE_FATAL); 2316 } 2317 if (r < ARCHIVE_OK) { 2318 archive_string_free(&as); 2319 *result = 0; 2320 return (r); 2321 } 2322 2323 *result = tar_atol10(as.s, archive_strlen(&as)); 2324 archive_string_free(&as); 2325 if (*result < 0 || *result == INT64_MAX) { 2326 *result = INT64_MAX; 2327 return (ARCHIVE_WARN); 2328 } 2329 return (ARCHIVE_OK); 2330 } 2331 2332 /* 2333 * Parse a single key=value attribute. 2334 * 2335 * POSIX reserves all-lowercase keywords. Vendor-specific extensions 2336 * should always have keywords of the form "VENDOR.attribute" In 2337 * particular, it's quite feasible to support many different vendor 2338 * extensions here. I'm using "LIBARCHIVE" for extensions unique to 2339 * this library. 2340 * 2341 * TODO: Investigate other vendor-specific extensions and see if 2342 * any of them look useful. 2343 */ 2344 static int 2345 pax_attribute(struct archive_read *a, struct tar *tar, struct archive_entry *entry, 2346 const char *key, size_t key_length, size_t value_length, int64_t *unconsumed) 2347 { 2348 int64_t t; 2349 long n; 2350 const char *p; 2351 ssize_t bytes_read; 2352 int err = ARCHIVE_OK; 2353 2354 switch (key[0]) { 2355 case 'G': 2356 /* GNU.* extensions */ 2357 if (key_length > 4 && memcmp(key, "GNU.", 4) == 0) { 2358 key += 4; 2359 key_length -= 4; 2360 2361 /* GNU.sparse marks the existence of GNU sparse information */ 2362 if (key_length == 6 && memcmp(key, "sparse", 6) == 0) { 2363 tar->sparse_gnu_attributes_seen = 1; 2364 } 2365 2366 /* GNU.sparse.* extensions */ 2367 else if (key_length > 7 && memcmp(key, "sparse.", 7) == 0) { 2368 tar->sparse_gnu_attributes_seen = 1; 2369 key += 7; 2370 key_length -= 7; 2371 2372 /* GNU "0.0" sparse pax format. */ 2373 if (key_length == 9 && memcmp(key, "numblocks", 9) == 0) { 2374 /* GNU.sparse.numblocks */ 2375 tar->sparse_offset = -1; 2376 tar->sparse_numbytes = -1; 2377 tar->sparse_gnu_major = 0; 2378 tar->sparse_gnu_minor = 0; 2379 } 2380 else if (key_length == 6 && memcmp(key, "offset", 6) == 0) { 2381 /* GNU.sparse.offset */ 2382 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2383 tar->sparse_offset = t; 2384 if (tar->sparse_numbytes != -1) { 2385 if (gnu_add_sparse_entry(a, tar, 2386 tar->sparse_offset, tar->sparse_numbytes) 2387 != ARCHIVE_OK) 2388 return (ARCHIVE_FATAL); 2389 tar->sparse_offset = -1; 2390 tar->sparse_numbytes = -1; 2391 } 2392 } 2393 return (err); 2394 } 2395 else if (key_length == 8 && memcmp(key, "numbytes", 8) == 0) { 2396 /* GNU.sparse.numbytes */ 2397 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2398 tar->sparse_numbytes = t; 2399 if (tar->sparse_offset != -1) { 2400 if (gnu_add_sparse_entry(a, tar, 2401 tar->sparse_offset, tar->sparse_numbytes) 2402 != ARCHIVE_OK) 2403 return (ARCHIVE_FATAL); 2404 tar->sparse_offset = -1; 2405 tar->sparse_numbytes = -1; 2406 } 2407 } 2408 return (err); 2409 } 2410 else if (key_length == 4 && memcmp(key, "size", 4) == 0) { 2411 /* GNU.sparse.size */ 2412 /* This is either the size of stored entry OR the size of data on disk, 2413 * depending on which GNU sparse format version is in use. 2414 * Since pax attributes can be in any order, we may not actually 2415 * know at this point how to interpret this. */ 2416 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2417 tar->GNU_sparse_size = t; 2418 tar->size_fields |= TAR_SIZE_GNU_SPARSE_SIZE; 2419 } 2420 return (err); 2421 } 2422 2423 /* GNU "0.1" sparse pax format. */ 2424 else if (key_length == 3 && memcmp(key, "map", 3) == 0) { 2425 /* GNU.sparse.map */ 2426 tar->sparse_gnu_major = 0; 2427 tar->sparse_gnu_minor = 1; 2428 if (value_length > sparse_map_limit) { 2429 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2430 "Unreasonably large sparse map: %llu > %llu", 2431 (unsigned long long)value_length, 2432 (unsigned long long)sparse_map_limit); 2433 err = ARCHIVE_FAILED; 2434 } else { 2435 p = __archive_read_ahead(a, value_length, &bytes_read); 2436 if (p == NULL) { 2437 archive_set_error(&a->archive, EINVAL, 2438 "Truncated archive" 2439 " detected while reading GNU sparse data"); 2440 return (ARCHIVE_FATAL); 2441 } 2442 if (gnu_sparse_01_parse(a, tar, p, value_length) != ARCHIVE_OK) { 2443 err = ARCHIVE_WARN; 2444 } 2445 } 2446 __archive_read_consume(a, value_length); 2447 return (err); 2448 } 2449 2450 /* GNU "1.0" sparse pax format */ 2451 else if (key_length == 5 && memcmp(key, "major", 5) == 0) { 2452 /* GNU.sparse.major */ 2453 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK 2454 && t >= 0 2455 && t <= 10) { 2456 tar->sparse_gnu_major = (int)t; 2457 } 2458 return (err); 2459 } 2460 else if (key_length == 5 && memcmp(key, "minor", 5) == 0) { 2461 /* GNU.sparse.minor */ 2462 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK 2463 && t >= 0 2464 && t <= 10) { 2465 tar->sparse_gnu_minor = (int)t; 2466 } 2467 return (err); 2468 } 2469 else if (key_length == 4 && memcmp(key, "name", 4) == 0) { 2470 /* GNU.sparse.name */ 2471 /* 2472 * The real filename; when storing sparse 2473 * files, GNU tar puts a synthesized name into 2474 * the regular 'path' attribute in an attempt 2475 * to limit confusion. ;-) 2476 */ 2477 if (value_length > pathname_limit) { 2478 *unconsumed += value_length; 2479 err = ARCHIVE_WARN; 2480 } else { 2481 err = read_bytes_to_string(a, &(tar->entry_pathname_override), 2482 value_length, unconsumed); 2483 } 2484 return (err); 2485 } 2486 else if (key_length == 8 && memcmp(key, "realsize", 8) == 0) { 2487 /* GNU.sparse.realsize = size of file on disk */ 2488 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2489 tar->GNU_sparse_realsize = t; 2490 tar->size_fields |= TAR_SIZE_GNU_SPARSE_REALSIZE; 2491 } 2492 return (err); 2493 } 2494 } 2495 } 2496 break; 2497 case 'L': 2498 /* LIBARCHIVE extensions */ 2499 if (key_length > 11 && memcmp(key, "LIBARCHIVE.", 11) == 0) { 2500 key_length -= 11; 2501 key += 11; 2502 2503 /* TODO: Handle arbitrary extended attributes... */ 2504 /* 2505 if (strcmp(key, "LIBARCHIVE.xxxxxxx") == 0) 2506 archive_entry_set_xxxxxx(entry, value); 2507 */ 2508 if (key_length == 12 && memcmp(key, "creationtime", 12) == 0) { 2509 /* LIBARCHIVE.creationtime */ 2510 if ((err = pax_attribute_read_time(a, value_length, &t, &n, unconsumed)) == ARCHIVE_OK) { 2511 archive_entry_set_birthtime(entry, t, n); 2512 } 2513 return (err); 2514 } 2515 else if (key_length == 11 && memcmp(key, "symlinktype", 11) == 0) { 2516 /* LIBARCHIVE.symlinktype */ 2517 if (value_length < 16) { 2518 p = __archive_read_ahead(a, value_length, &bytes_read); 2519 if (p == NULL) { 2520 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 2521 "Truncated tar archive " 2522 "detected while reading `symlinktype` attribute"); 2523 return (ARCHIVE_FATAL); 2524 } 2525 if (value_length == 4 && memcmp(p, "file", 4) == 0) { 2526 archive_entry_set_symlink_type(entry, 2527 AE_SYMLINK_TYPE_FILE); 2528 } else if (value_length == 3 && memcmp(p, "dir", 3) == 0) { 2529 archive_entry_set_symlink_type(entry, 2530 AE_SYMLINK_TYPE_DIRECTORY); 2531 } else { 2532 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2533 "Unrecognized symlink type"); 2534 err = ARCHIVE_WARN; 2535 } 2536 } else { 2537 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2538 "symlink type is very long" 2539 "(longest recognized value is 4 bytes, this is %llu)", 2540 (unsigned long long)value_length); 2541 err = ARCHIVE_WARN; 2542 } 2543 __archive_read_consume(a, value_length); 2544 return (err); 2545 } 2546 else if (key_length > 6 && memcmp(key, "xattr.", 6) == 0) { 2547 key_length -= 6; 2548 key += 6; 2549 if (value_length > xattr_limit) { 2550 err = ARCHIVE_WARN; 2551 } else { 2552 p = __archive_read_ahead(a, value_length, &bytes_read); 2553 if (p == NULL) { 2554 archive_set_error(&a->archive, EINVAL, 2555 "Truncated archive" 2556 " detected while reading xattr information"); 2557 return (ARCHIVE_FATAL); 2558 } 2559 if (pax_attribute_LIBARCHIVE_xattr(entry, key, key_length, p, value_length)) { 2560 /* TODO: Unable to parse xattr */ 2561 err = ARCHIVE_WARN; 2562 } 2563 } 2564 __archive_read_consume(a, value_length); 2565 return (err); 2566 } 2567 } 2568 break; 2569 case 'R': 2570 /* GNU tar uses RHT.security header to store SELinux xattrs 2571 * SCHILY.xattr.security.selinux == RHT.security.selinux */ 2572 if (key_length == 20 && memcmp(key, "RHT.security.selinux", 20) == 0) { 2573 if (value_length > xattr_limit) { 2574 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2575 "Ignoring unreasonably large security.selinux attribute:" 2576 " %llu > %llu", 2577 (unsigned long long)value_length, 2578 (unsigned long long)xattr_limit); 2579 /* TODO: Should this be FAILED instead? */ 2580 err = ARCHIVE_WARN; 2581 } else { 2582 p = __archive_read_ahead(a, value_length, &bytes_read); 2583 if (p == NULL) { 2584 archive_set_error(&a->archive, EINVAL, 2585 "Truncated archive" 2586 " detected while reading selinux data"); 2587 return (ARCHIVE_FATAL); 2588 } 2589 if (pax_attribute_RHT_security_selinux(entry, p, value_length)) { 2590 /* TODO: Unable to parse xattr */ 2591 err = ARCHIVE_WARN; 2592 } 2593 } 2594 __archive_read_consume(a, value_length); 2595 return (err); 2596 } 2597 break; 2598 case 'S': 2599 /* SCHILY.* extensions used by "star" archiver */ 2600 if (key_length > 7 && memcmp(key, "SCHILY.", 7) == 0) { 2601 key_length -= 7; 2602 key += 7; 2603 2604 if (key_length == 10 && memcmp(key, "acl.access", 10) == 0) { 2605 err = pax_attribute_SCHILY_acl(a, tar, entry, value_length, 2606 ARCHIVE_ENTRY_ACL_TYPE_ACCESS); 2607 // TODO: Mark mode as set 2608 return (err); 2609 } 2610 else if (key_length == 11 && memcmp(key, "acl.default", 11) == 0) { 2611 err = pax_attribute_SCHILY_acl(a, tar, entry, value_length, 2612 ARCHIVE_ENTRY_ACL_TYPE_DEFAULT); 2613 return (err); 2614 } 2615 else if (key_length == 7 && memcmp(key, "acl.ace", 7) == 0) { 2616 err = pax_attribute_SCHILY_acl(a, tar, entry, value_length, 2617 ARCHIVE_ENTRY_ACL_TYPE_NFS4); 2618 // TODO: Mark mode as set 2619 return (err); 2620 } 2621 else if (key_length == 8 && memcmp(key, "devmajor", 8) == 0) { 2622 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2623 archive_entry_set_rdevmajor(entry, (dev_t)t); 2624 } 2625 return (err); 2626 } 2627 else if (key_length == 8 && memcmp(key, "devminor", 8) == 0) { 2628 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2629 archive_entry_set_rdevminor(entry, (dev_t)t); 2630 } 2631 return (err); 2632 } 2633 else if (key_length == 6 && memcmp(key, "fflags", 6) == 0) { 2634 if (value_length < fflags_limit) { 2635 p = __archive_read_ahead(a, value_length, &bytes_read); 2636 if (p == NULL) { 2637 /* Truncated archive */ 2638 archive_set_error(&a->archive, EINVAL, 2639 "Truncated archive" 2640 " detected while reading SCHILY.fflags"); 2641 return (ARCHIVE_FATAL); 2642 } 2643 archive_entry_copy_fflags_text_len(entry, p, value_length); 2644 err = ARCHIVE_OK; 2645 } else { 2646 /* Overlong fflags field */ 2647 err = ARCHIVE_WARN; 2648 } 2649 __archive_read_consume(a, value_length); 2650 return (err); 2651 } 2652 else if (key_length == 3 && memcmp(key, "dev", 3) == 0) { 2653 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2654 archive_entry_set_dev(entry, (dev_t)t); 2655 } 2656 return (err); 2657 } 2658 else if (key_length == 3 && memcmp(key, "ino", 3) == 0) { 2659 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2660 archive_entry_set_ino(entry, t); 2661 } 2662 return (err); 2663 } 2664 else if (key_length == 5 && memcmp(key, "nlink", 5) == 0) { 2665 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2666 archive_entry_set_nlink(entry, (unsigned int)t); 2667 } 2668 return (err); 2669 } 2670 else if (key_length == 8 && memcmp(key, "realsize", 8) == 0) { 2671 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2672 tar->SCHILY_sparse_realsize = t; 2673 tar->size_fields |= TAR_SIZE_SCHILY_SPARSE_REALSIZE; 2674 } 2675 return (err); 2676 } 2677 /* TODO: Is there a SCHILY.sparse.size similar to GNU.sparse.size ? */ 2678 else if (key_length > 6 && memcmp(key, "xattr.", 6) == 0) { 2679 key_length -= 6; 2680 key += 6; 2681 if (value_length < xattr_limit) { 2682 p = __archive_read_ahead(a, value_length, &bytes_read); 2683 if (p == NULL) { 2684 archive_set_error(&a->archive, EINVAL, 2685 "Truncated archive" 2686 " detected while reading SCHILY.xattr"); 2687 return (ARCHIVE_FATAL); 2688 } 2689 if (pax_attribute_SCHILY_xattr(entry, key, key_length, p, value_length)) { 2690 /* TODO: Unable to parse xattr */ 2691 err = ARCHIVE_WARN; 2692 } 2693 } else { 2694 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2695 "Unreasonably large xattr: %llu > %llu", 2696 (unsigned long long)value_length, 2697 (unsigned long long)xattr_limit); 2698 err = ARCHIVE_WARN; 2699 } 2700 __archive_read_consume(a, value_length); 2701 return (err); 2702 } 2703 } 2704 /* SUN.* extensions from Solaris tar */ 2705 if (key_length > 4 && memcmp(key, "SUN.", 4) == 0) { 2706 key_length -= 4; 2707 key += 4; 2708 2709 if (key_length == 9 && memcmp(key, "holesdata", 9) == 0) { 2710 /* SUN.holesdata */ 2711 if (value_length < sparse_map_limit) { 2712 p = __archive_read_ahead(a, value_length, &bytes_read); 2713 if (p == NULL) { 2714 archive_set_error(&a->archive, EINVAL, 2715 "Truncated archive" 2716 " detected while reading SUN.holesdata"); 2717 return (ARCHIVE_FATAL); 2718 } 2719 err = pax_attribute_SUN_holesdata(a, tar, entry, p, value_length); 2720 if (err < ARCHIVE_OK) { 2721 archive_set_error(&a->archive, 2722 ARCHIVE_ERRNO_MISC, 2723 "Parse error: SUN.holesdata"); 2724 } 2725 } else { 2726 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, 2727 "Unreasonably large sparse map: %llu > %llu", 2728 (unsigned long long)value_length, 2729 (unsigned long long)sparse_map_limit); 2730 err = ARCHIVE_FAILED; 2731 } 2732 __archive_read_consume(a, value_length); 2733 return (err); 2734 } 2735 } 2736 break; 2737 case 'a': 2738 if (key_length == 5 && memcmp(key, "atime", 5) == 0) { 2739 if ((err = pax_attribute_read_time(a, value_length, &t, &n, unconsumed)) == ARCHIVE_OK) { 2740 archive_entry_set_atime(entry, t, n); 2741 } 2742 return (err); 2743 } 2744 break; 2745 case 'c': 2746 if (key_length == 5 && memcmp(key, "ctime", 5) == 0) { 2747 if ((err = pax_attribute_read_time(a, value_length, &t, &n, unconsumed)) == ARCHIVE_OK) { 2748 archive_entry_set_ctime(entry, t, n); 2749 } 2750 return (err); 2751 } else if (key_length == 7 && memcmp(key, "charset", 7) == 0) { 2752 /* TODO: Publish charset information in entry. */ 2753 } else if (key_length == 7 && memcmp(key, "comment", 7) == 0) { 2754 /* TODO: Publish comment in entry. */ 2755 } 2756 break; 2757 case 'g': 2758 if (key_length == 3 && memcmp(key, "gid", 3) == 0) { 2759 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2760 archive_entry_set_gid(entry, t); 2761 } 2762 return (err); 2763 } else if (key_length == 5 && memcmp(key, "gname", 5) == 0) { 2764 if (value_length > guname_limit) { 2765 *unconsumed += value_length; 2766 err = ARCHIVE_WARN; 2767 } else { 2768 err = read_bytes_to_string(a, &(tar->entry_gname), value_length, unconsumed); 2769 } 2770 return (err); 2771 } 2772 break; 2773 case 'h': 2774 if (key_length == 10 && memcmp(key, "hdrcharset", 10) == 0) { 2775 if (value_length < 64) { 2776 p = __archive_read_ahead(a, value_length, &bytes_read); 2777 if (p == NULL) { 2778 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 2779 "Truncated tar archive " 2780 "detected while reading hdrcharset attribute"); 2781 return (ARCHIVE_FATAL); 2782 } 2783 if (value_length == 6 2784 && memcmp(p, "BINARY", 6) == 0) { 2785 /* Binary mode. */ 2786 tar->pax_hdrcharset_utf8 = 0; 2787 err = ARCHIVE_OK; 2788 } else if (value_length == 23 2789 && memcmp(p, "ISO-IR 10646 2000 UTF-8", 23) == 0) { 2790 tar->pax_hdrcharset_utf8 = 1; 2791 err = ARCHIVE_OK; 2792 } else { 2793 /* TODO: Unrecognized character set */ 2794 err = ARCHIVE_WARN; 2795 } 2796 } else { 2797 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 2798 "hdrcharset attribute is unreasonably large (%llu bytes)", 2799 (unsigned long long)value_length); 2800 err = ARCHIVE_WARN; 2801 } 2802 __archive_read_consume(a, value_length); 2803 return (err); 2804 } 2805 break; 2806 case 'l': 2807 /* pax interchange doesn't distinguish hardlink vs. symlink. */ 2808 if (key_length == 8 && memcmp(key, "linkpath", 8) == 0) { 2809 if (value_length > pathname_limit) { 2810 *unconsumed += value_length; 2811 err = ARCHIVE_WARN; 2812 } else { 2813 err = read_bytes_to_string(a, &tar->entry_linkpath, value_length, unconsumed); 2814 } 2815 return (err); 2816 } 2817 break; 2818 case 'm': 2819 if (key_length == 5 && memcmp(key, "mtime", 5) == 0) { 2820 if ((err = pax_attribute_read_time(a, value_length, &t, &n, unconsumed)) == ARCHIVE_OK) { 2821 archive_entry_set_mtime(entry, t, n); 2822 } 2823 return (err); 2824 } 2825 break; 2826 case 'p': 2827 if (key_length == 4 && memcmp(key, "path", 4) == 0) { 2828 if (value_length > pathname_limit) { 2829 *unconsumed += value_length; 2830 err = ARCHIVE_WARN; 2831 } else { 2832 err = read_bytes_to_string(a, &(tar->entry_pathname), value_length, unconsumed); 2833 } 2834 return (err); 2835 } 2836 break; 2837 case 'r': 2838 /* POSIX has reserved 'realtime.*' */ 2839 break; 2840 case 's': 2841 /* POSIX has reserved 'security.*' */ 2842 /* Someday: if (strcmp(key, "security.acl") == 0) { ... } */ 2843 if (key_length == 4 && memcmp(key, "size", 4) == 0) { 2844 /* "size" is the size of the data in the entry. */ 2845 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2846 tar->pax_size = t; 2847 tar->size_fields |= TAR_SIZE_PAX_SIZE; 2848 } 2849 else if (t == INT64_MAX) { 2850 /* Note: pax_attr_read_number returns INT64_MAX on overflow or < 0 */ 2851 tar->entry_bytes_remaining = 0; 2852 archive_set_error(&a->archive, 2853 ARCHIVE_ERRNO_MISC, 2854 "Tar size attribute overflow"); 2855 return (ARCHIVE_FATAL); 2856 } 2857 return (err); 2858 } 2859 break; 2860 case 'u': 2861 if (key_length == 3 && memcmp(key, "uid", 3) == 0) { 2862 if ((err = pax_attribute_read_number(a, value_length, &t)) == ARCHIVE_OK) { 2863 archive_entry_set_uid(entry, t); 2864 } 2865 return (err); 2866 } else if (key_length == 5 && memcmp(key, "uname", 5) == 0) { 2867 if (value_length > guname_limit) { 2868 *unconsumed += value_length; 2869 err = ARCHIVE_WARN; 2870 } else { 2871 err = read_bytes_to_string(a, &(tar->entry_uname), value_length, unconsumed); 2872 } 2873 return (err); 2874 } 2875 break; 2876 } 2877 2878 /* Unrecognized key, just skip the entire value. */ 2879 __archive_read_consume(a, value_length); 2880 return (err); 2881 } 2882 2883 2884 2885 /* 2886 * Parse a decimal time value, which may include a fractional portion 2887 * 2888 * Sets ps to INT64_MIN on error. 2889 */ 2890 static void 2891 pax_time(const char *p, size_t length, int64_t *ps, long *pn) 2892 { 2893 char digit; 2894 int64_t s; 2895 unsigned long l; 2896 int sign; 2897 int64_t limit, last_digit_limit; 2898 2899 limit = INT64_MAX / 10; 2900 last_digit_limit = INT64_MAX % 10; 2901 2902 if (length <= 0) { 2903 *ps = 0; 2904 *pn = 0; 2905 return; 2906 } 2907 s = 0; 2908 sign = 1; 2909 if (*p == '-') { 2910 sign = -1; 2911 p++; 2912 length--; 2913 } 2914 while (length > 0 && *p >= '0' && *p <= '9') { 2915 digit = *p - '0'; 2916 if (s > limit || 2917 (s == limit && digit > last_digit_limit)) { 2918 *ps = INT64_MIN; 2919 *pn = 0; 2920 return; 2921 } 2922 s = (s * 10) + digit; 2923 ++p; 2924 --length; 2925 } 2926 2927 *ps = s * sign; 2928 2929 /* Calculate nanoseconds. */ 2930 *pn = 0; 2931 2932 if (length <= 0 || *p != '.') 2933 return; 2934 2935 l = 100000000UL; 2936 do { 2937 ++p; 2938 --length; 2939 if (length > 0 && *p >= '0' && *p <= '9') 2940 *pn += (*p - '0') * l; 2941 else 2942 break; 2943 } while (l /= 10); 2944 } 2945 2946 /* 2947 * Parse GNU tar header 2948 */ 2949 static int 2950 header_gnutar(struct archive_read *a, struct tar *tar, 2951 struct archive_entry *entry, const void *h, int64_t *unconsumed) 2952 { 2953 const struct archive_entry_header_gnutar *header; 2954 int64_t t; 2955 int err = ARCHIVE_OK; 2956 2957 /* 2958 * GNU header is like POSIX ustar, except 'prefix' is 2959 * replaced with some other fields. This also means the 2960 * filename is stored as in old-style archives. 2961 */ 2962 2963 /* Copy filename over (to ensure null termination). */ 2964 header = (const struct archive_entry_header_gnutar *)h; 2965 const char *existing_pathname = archive_entry_pathname(entry); 2966 const wchar_t *existing_wcs_pathname = archive_entry_pathname_w(entry); 2967 if ((existing_pathname == NULL || existing_pathname[0] == '\0') 2968 && (existing_wcs_pathname == NULL || existing_wcs_pathname[0] == L'\0')) { 2969 if (archive_entry_copy_pathname_l(entry, 2970 header->name, sizeof(header->name), tar->sconv) != 0) { 2971 err = set_conversion_failed_error(a, tar->sconv, "Pathname"); 2972 if (err == ARCHIVE_FATAL) 2973 return (err); 2974 } 2975 } 2976 2977 /* Fields common to ustar and GNU */ 2978 /* XXX Can the following be factored out since it's common 2979 * to ustar and gnu tar? Is it okay to move it down into 2980 * header_common, perhaps? */ 2981 const char *existing_uname = archive_entry_uname(entry); 2982 if (existing_uname == NULL || existing_uname[0] == '\0') { 2983 if (archive_entry_copy_uname_l(entry, 2984 header->uname, sizeof(header->uname), tar->sconv) != 0) { 2985 err = set_conversion_failed_error(a, tar->sconv, "Uname"); 2986 if (err == ARCHIVE_FATAL) 2987 return (err); 2988 } 2989 } 2990 2991 const char *existing_gname = archive_entry_gname(entry); 2992 if (existing_gname == NULL || existing_gname[0] == '\0') { 2993 if (archive_entry_copy_gname_l(entry, 2994 header->gname, sizeof(header->gname), tar->sconv) != 0) { 2995 err = set_conversion_failed_error(a, tar->sconv, "Gname"); 2996 if (err == ARCHIVE_FATAL) 2997 return (err); 2998 } 2999 } 3000 3001 /* Parse out device numbers only for char and block specials */ 3002 if (header->typeflag[0] == '3' || header->typeflag[0] == '4') { 3003 if (!archive_entry_rdev_is_set(entry)) { 3004 archive_entry_set_rdevmajor(entry, (dev_t) 3005 tar_atol(header->rdevmajor, sizeof(header->rdevmajor))); 3006 archive_entry_set_rdevminor(entry, (dev_t) 3007 tar_atol(header->rdevminor, sizeof(header->rdevminor))); 3008 } 3009 } else { 3010 archive_entry_set_rdev(entry, 0); 3011 } 3012 3013 /* Grab GNU-specific fields. */ 3014 if (!archive_entry_atime_is_set(entry)) { 3015 t = tar_atol(header->atime, sizeof(header->atime)); 3016 if (t > 0) 3017 archive_entry_set_atime(entry, t, 0); 3018 } 3019 if (!archive_entry_ctime_is_set(entry)) { 3020 t = tar_atol(header->ctime, sizeof(header->ctime)); 3021 if (t > 0) 3022 archive_entry_set_ctime(entry, t, 0); 3023 } 3024 3025 if (header->realsize[0] != 0) { 3026 /* Treat as a synonym for the pax GNU.sparse.realsize attr */ 3027 tar->GNU_sparse_realsize 3028 = tar_atol(header->realsize, sizeof(header->realsize)); 3029 tar->size_fields |= TAR_SIZE_GNU_SPARSE_REALSIZE; 3030 } 3031 3032 if (header->sparse[0].offset[0] != 0) { 3033 if (gnu_sparse_old_read(a, tar, header, unconsumed) 3034 != ARCHIVE_OK) 3035 return (ARCHIVE_FATAL); 3036 } else { 3037 if (header->isextended[0] != 0) { 3038 /* XXX WTF? XXX */ 3039 } 3040 } 3041 3042 /* Grab fields common to all tar variants. */ 3043 err = header_common(a, tar, entry, h); 3044 if (err == ARCHIVE_FATAL) 3045 return (err); 3046 3047 tar->entry_padding = 0x1ff & (-tar->entry_bytes_remaining); 3048 3049 return (err); 3050 } 3051 3052 static int 3053 gnu_add_sparse_entry(struct archive_read *a, struct tar *tar, 3054 int64_t offset, int64_t remaining) 3055 { 3056 struct sparse_block *p; 3057 3058 p = calloc(1, sizeof(*p)); 3059 if (p == NULL) { 3060 archive_set_error(&a->archive, ENOMEM, "Out of memory"); 3061 return (ARCHIVE_FATAL); 3062 } 3063 if (tar->sparse_last != NULL) 3064 tar->sparse_last->next = p; 3065 else 3066 tar->sparse_list = p; 3067 tar->sparse_last = p; 3068 if (remaining < 0 || offset < 0 || offset > INT64_MAX - remaining) { 3069 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, "Malformed sparse map data"); 3070 return (ARCHIVE_FATAL); 3071 } 3072 p->offset = offset; 3073 p->remaining = remaining; 3074 return (ARCHIVE_OK); 3075 } 3076 3077 static void 3078 gnu_clear_sparse_list(struct tar *tar) 3079 { 3080 struct sparse_block *p; 3081 3082 while (tar->sparse_list != NULL) { 3083 p = tar->sparse_list; 3084 tar->sparse_list = p->next; 3085 free(p); 3086 } 3087 tar->sparse_last = NULL; 3088 } 3089 3090 /* 3091 * GNU tar old-format sparse data. 3092 * 3093 * GNU old-format sparse data is stored in a fixed-field 3094 * format. Offset/size values are 11-byte octal fields (same 3095 * format as 'size' field in ustart header). These are 3096 * stored in the header, allocating subsequent header blocks 3097 * as needed. Extending the header in this way is a pretty 3098 * severe POSIX violation; this design has earned GNU tar a 3099 * lot of criticism. 3100 */ 3101 3102 static int 3103 gnu_sparse_old_read(struct archive_read *a, struct tar *tar, 3104 const struct archive_entry_header_gnutar *header, int64_t *unconsumed) 3105 { 3106 ssize_t bytes_read; 3107 const void *data; 3108 struct extended { 3109 struct gnu_sparse sparse[21]; 3110 char isextended[1]; 3111 char padding[7]; 3112 }; 3113 const struct extended *ext; 3114 3115 if (gnu_sparse_old_parse(a, tar, header->sparse, 4) != ARCHIVE_OK) 3116 return (ARCHIVE_FATAL); 3117 if (header->isextended[0] == 0) 3118 return (ARCHIVE_OK); 3119 3120 do { 3121 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 3122 return (ARCHIVE_FATAL); 3123 } 3124 data = __archive_read_ahead(a, 512, &bytes_read); 3125 if (data == NULL) { 3126 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, 3127 "Truncated tar archive " 3128 "detected while reading sparse file data"); 3129 return (ARCHIVE_FATAL); 3130 } 3131 *unconsumed = 512; 3132 ext = (const struct extended *)data; 3133 if (gnu_sparse_old_parse(a, tar, ext->sparse, 21) != ARCHIVE_OK) 3134 return (ARCHIVE_FATAL); 3135 } while (ext->isextended[0] != 0); 3136 if (tar->sparse_list != NULL) 3137 tar->entry_offset = tar->sparse_list->offset; 3138 return (ARCHIVE_OK); 3139 } 3140 3141 static int 3142 gnu_sparse_old_parse(struct archive_read *a, struct tar *tar, 3143 const struct gnu_sparse *sparse, int length) 3144 { 3145 while (length > 0 && sparse->offset[0] != 0) { 3146 if (gnu_add_sparse_entry(a, tar, 3147 tar_atol(sparse->offset, sizeof(sparse->offset)), 3148 tar_atol(sparse->numbytes, sizeof(sparse->numbytes))) 3149 != ARCHIVE_OK) 3150 return (ARCHIVE_FATAL); 3151 sparse++; 3152 length--; 3153 } 3154 return (ARCHIVE_OK); 3155 } 3156 3157 /* 3158 * GNU tar sparse format 0.0 3159 * 3160 * Beginning with GNU tar 1.15, sparse files are stored using 3161 * information in the pax extended header. The GNU tar maintainers 3162 * have gone through a number of variations in the process of working 3163 * out this scheme; fortunately, they're all numbered. 3164 * 3165 * Sparse format 0.0 uses attribute GNU.sparse.numblocks to store the 3166 * number of blocks, and GNU.sparse.offset/GNU.sparse.numbytes to 3167 * store offset/size for each block. The repeated instances of these 3168 * latter fields violate the pax specification (which frowns on 3169 * duplicate keys), so this format was quickly replaced. 3170 */ 3171 3172 /* 3173 * GNU tar sparse format 0.1 3174 * 3175 * This version replaced the offset/numbytes attributes with 3176 * a single "map" attribute that stored a list of integers. This 3177 * format had two problems: First, the "map" attribute could be very 3178 * long, which caused problems for some implementations. More 3179 * importantly, the sparse data was lost when extracted by archivers 3180 * that didn't recognize this extension. 3181 */ 3182 static int 3183 gnu_sparse_01_parse(struct archive_read *a, struct tar *tar, const char *p, size_t length) 3184 { 3185 const char *e; 3186 int64_t offset = -1, size = -1; 3187 3188 for (;;) { 3189 e = p; 3190 while (length > 0 && *e != ',') { 3191 if (*e < '0' || *e > '9') 3192 return (ARCHIVE_WARN); 3193 e++; 3194 length--; 3195 } 3196 if (offset < 0) { 3197 offset = tar_atol10(p, e - p); 3198 if (offset < 0) 3199 return (ARCHIVE_WARN); 3200 } else { 3201 size = tar_atol10(p, e - p); 3202 if (size < 0) 3203 return (ARCHIVE_WARN); 3204 if (gnu_add_sparse_entry(a, tar, offset, size) 3205 != ARCHIVE_OK) 3206 return (ARCHIVE_FATAL); 3207 offset = -1; 3208 } 3209 if (length == 0) 3210 return (ARCHIVE_OK); 3211 p = e + 1; 3212 length--; 3213 } 3214 } 3215 3216 /* 3217 * GNU tar sparse format 1.0 3218 * 3219 * The idea: The offset/size data is stored as a series of base-10 3220 * ASCII numbers prepended to the file data, so that dearchivers that 3221 * don't support this format will extract the block map along with the 3222 * data and a separate post-process can restore the sparseness. 3223 * 3224 * Unfortunately, GNU tar 1.16 had a bug that added unnecessary 3225 * padding to the body of the file when using this format. GNU tar 3226 * 1.17 corrected this bug without bumping the version number, so 3227 * it's not possible to support both variants. This code supports 3228 * the later variant at the expense of not supporting the former. 3229 * 3230 * This variant also introduced the GNU.sparse.major/GNU.sparse.minor attributes. 3231 */ 3232 3233 /* 3234 * Read the next line from the input, and parse it as a decimal 3235 * integer followed by '\n'. Returns positive integer value or 3236 * negative on error. 3237 */ 3238 static int64_t 3239 gnu_sparse_10_atol(struct archive_read *a, struct tar *tar, 3240 int64_t *remaining, int64_t *unconsumed) 3241 { 3242 int64_t l, limit, last_digit_limit; 3243 const char *p; 3244 ssize_t bytes_read; 3245 int base, digit; 3246 3247 base = 10; 3248 limit = INT64_MAX / base; 3249 last_digit_limit = INT64_MAX % base; 3250 3251 /* 3252 * Skip any lines starting with '#'; GNU tar specs 3253 * don't require this, but they should. 3254 */ 3255 do { 3256 bytes_read = readline(a, tar, &p, 3257 (ssize_t)tar_min(*remaining, 100), unconsumed); 3258 if (bytes_read <= 0) 3259 return (ARCHIVE_FATAL); 3260 *remaining -= bytes_read; 3261 } while (p[0] == '#'); 3262 3263 l = 0; 3264 while (bytes_read > 0) { 3265 if (*p == '\n') 3266 return (l); 3267 if (*p < '0' || *p >= '0' + base) 3268 return (ARCHIVE_WARN); 3269 digit = *p - '0'; 3270 if (l > limit || (l == limit && digit > last_digit_limit)) 3271 l = INT64_MAX; /* Truncate on overflow. */ 3272 else 3273 l = (l * base) + digit; 3274 p++; 3275 bytes_read--; 3276 } 3277 /* TODO: Error message. */ 3278 return (ARCHIVE_WARN); 3279 } 3280 3281 /* 3282 * Returns length (in bytes) of the sparse data description 3283 * that was read. 3284 */ 3285 static int64_t 3286 gnu_sparse_10_read(struct archive_read *a, struct tar *tar, int64_t *unconsumed) 3287 { 3288 int64_t bytes_read, entries, offset, size, to_skip, remaining; 3289 3290 /* Clear out the existing sparse list. */ 3291 gnu_clear_sparse_list(tar); 3292 3293 remaining = tar->entry_bytes_remaining; 3294 3295 /* Parse entries. */ 3296 entries = gnu_sparse_10_atol(a, tar, &remaining, unconsumed); 3297 if (entries < 0) 3298 return (ARCHIVE_FATAL); 3299 /* Parse the individual entries. */ 3300 while (entries-- > 0) { 3301 /* Parse offset/size */ 3302 offset = gnu_sparse_10_atol(a, tar, &remaining, unconsumed); 3303 if (offset < 0) 3304 return (ARCHIVE_FATAL); 3305 size = gnu_sparse_10_atol(a, tar, &remaining, unconsumed); 3306 if (size < 0) 3307 return (ARCHIVE_FATAL); 3308 /* Add a new sparse entry. */ 3309 if (gnu_add_sparse_entry(a, tar, offset, size) != ARCHIVE_OK) 3310 return (ARCHIVE_FATAL); 3311 } 3312 /* Skip rest of block... */ 3313 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 3314 return (ARCHIVE_FATAL); 3315 } 3316 bytes_read = tar->entry_bytes_remaining - remaining; 3317 to_skip = 0x1ff & -bytes_read; 3318 /* Fail if tar->entry_bytes_remaing would get negative */ 3319 if (to_skip > remaining) 3320 return (ARCHIVE_FATAL); 3321 if (to_skip != __archive_read_consume(a, to_skip)) 3322 return (ARCHIVE_FATAL); 3323 return (bytes_read + to_skip); 3324 } 3325 3326 /* 3327 * Solaris pax extension for a sparse file. This is recorded with the 3328 * data and hole pairs. The way recording sparse information by Solaris' 3329 * pax simply indicates where data and sparse are, so the stored contents 3330 * consist of both data and hole. 3331 */ 3332 static int 3333 pax_attribute_SUN_holesdata(struct archive_read *a, struct tar *tar, 3334 struct archive_entry *entry, const char *p, size_t length) 3335 { 3336 const char *e; 3337 int64_t start, end; 3338 int hole = 1; 3339 3340 (void)entry; /* UNUSED */ 3341 3342 end = 0; 3343 if (length <= 0) 3344 return (ARCHIVE_WARN); 3345 if (*p == ' ') { 3346 p++; 3347 length--; 3348 } else { 3349 return (ARCHIVE_WARN); 3350 } 3351 for (;;) { 3352 e = p; 3353 while (length > 0 && *e != ' ') { 3354 if (*e < '0' || *e > '9') 3355 return (ARCHIVE_WARN); 3356 e++; 3357 length--; 3358 } 3359 start = end; 3360 end = tar_atol10(p, e - p); 3361 if (end < 0) 3362 return (ARCHIVE_WARN); 3363 if (start < end) { 3364 if (gnu_add_sparse_entry(a, tar, start, 3365 end - start) != ARCHIVE_OK) 3366 return (ARCHIVE_FATAL); 3367 tar->sparse_last->hole = hole; 3368 } 3369 if (length == 0 || *e == '\n') { 3370 if (length == 0 && *e == '\n') { 3371 return (ARCHIVE_OK); 3372 } else { 3373 return (ARCHIVE_WARN); 3374 } 3375 } 3376 p = e + 1; 3377 length--; 3378 hole = hole == 0; 3379 } 3380 } 3381 3382 /*- 3383 * Convert text->integer. 3384 * 3385 * Traditional tar formats (including POSIX) specify base-8 for 3386 * all of the standard numeric fields. This is a significant limitation 3387 * in practice: 3388 * = file size is limited to 8GB 3389 * = rdevmajor and rdevminor are limited to 21 bits 3390 * = uid/gid are limited to 21 bits 3391 * 3392 * There are two workarounds for this: 3393 * = pax extended headers, which use variable-length string fields 3394 * = GNU tar and STAR both allow either base-8 or base-256 in 3395 * most fields. The high bit is set to indicate base-256. 3396 * 3397 * On read, this implementation supports both extensions. 3398 */ 3399 static int64_t 3400 tar_atol(const char *p, size_t char_cnt) 3401 { 3402 /* 3403 * Technically, GNU tar considers a field to be in base-256 3404 * only if the first byte is 0xff or 0x80. 3405 */ 3406 if (*p & 0x80) 3407 return (tar_atol256(p, char_cnt)); 3408 return (tar_atol8(p, char_cnt)); 3409 } 3410 3411 /* 3412 * Note that this implementation does not (and should not!) obey 3413 * locale settings; you cannot simply substitute strtol here, since 3414 * it does obey locale. 3415 */ 3416 static int64_t 3417 tar_atol_base_n(const char *p, size_t char_cnt, int base) 3418 { 3419 int64_t l, maxval, limit, last_digit_limit; 3420 int digit, sign; 3421 3422 maxval = INT64_MAX; 3423 limit = INT64_MAX / base; 3424 last_digit_limit = INT64_MAX % base; 3425 3426 /* the pointer will not be dereferenced if char_cnt is zero 3427 * due to the way the && operator is evaluated. 3428 */ 3429 while (char_cnt != 0 && (*p == ' ' || *p == '\t')) { 3430 p++; 3431 char_cnt--; 3432 } 3433 3434 sign = 1; 3435 if (char_cnt != 0 && *p == '-') { 3436 sign = -1; 3437 p++; 3438 char_cnt--; 3439 3440 maxval = INT64_MIN; 3441 limit = -(INT64_MIN / base); 3442 last_digit_limit = -(INT64_MIN % base); 3443 } 3444 3445 l = 0; 3446 if (char_cnt != 0) { 3447 digit = *p - '0'; 3448 while (digit >= 0 && digit < base && char_cnt != 0) { 3449 if (l>limit || (l == limit && digit >= last_digit_limit)) { 3450 return maxval; /* Truncate on overflow. */ 3451 } 3452 l = (l * base) + digit; 3453 digit = *++p - '0'; 3454 char_cnt--; 3455 } 3456 } 3457 return (sign < 0) ? -l : l; 3458 } 3459 3460 static int64_t 3461 tar_atol8(const char *p, size_t char_cnt) 3462 { 3463 return tar_atol_base_n(p, char_cnt, 8); 3464 } 3465 3466 static int64_t 3467 tar_atol10(const char *p, size_t char_cnt) 3468 { 3469 return tar_atol_base_n(p, char_cnt, 10); 3470 } 3471 3472 /* 3473 * Parse a base-256 integer. This is just a variable-length 3474 * twos-complement signed binary value in big-endian order, except 3475 * that the high-order bit is ignored. The values here can be up to 3476 * 12 bytes, so we need to be careful about overflowing 64-bit 3477 * (8-byte) integers. 3478 * 3479 * This code unashamedly assumes that the local machine uses 8-bit 3480 * bytes and twos-complement arithmetic. 3481 */ 3482 static int64_t 3483 tar_atol256(const char *_p, size_t char_cnt) 3484 { 3485 uint64_t l; 3486 const unsigned char *p = (const unsigned char *)_p; 3487 unsigned char c, neg; 3488 3489 /* Extend 7-bit 2s-comp to 8-bit 2s-comp, decide sign. */ 3490 c = *p; 3491 if (c & 0x40) { 3492 neg = 0xff; 3493 c |= 0x80; 3494 l = ~ARCHIVE_LITERAL_ULL(0); 3495 } else { 3496 neg = 0; 3497 c &= 0x7f; 3498 l = 0; 3499 } 3500 3501 /* If more than 8 bytes, check that we can ignore 3502 * high-order bits without overflow. */ 3503 while (char_cnt > sizeof(int64_t)) { 3504 --char_cnt; 3505 if (c != neg) 3506 return neg ? INT64_MIN : INT64_MAX; 3507 c = *++p; 3508 } 3509 3510 /* c is first byte that fits; if sign mismatch, return overflow */ 3511 if ((c ^ neg) & 0x80) { 3512 return neg ? INT64_MIN : INT64_MAX; 3513 } 3514 3515 /* Accumulate remaining bytes. */ 3516 while (--char_cnt > 0) { 3517 l = (l << 8) | c; 3518 c = *++p; 3519 } 3520 l = (l << 8) | c; 3521 /* Return signed twos-complement value. */ 3522 return (int64_t)(l); 3523 } 3524 3525 /* 3526 * Returns length of line (including trailing newline) 3527 * or negative on error. 'start' argument is updated to 3528 * point to first character of line. This avoids copying 3529 * when possible. 3530 */ 3531 static ssize_t 3532 readline(struct archive_read *a, struct tar *tar, const char **start, 3533 ssize_t limit, int64_t *unconsumed) 3534 { 3535 ssize_t bytes_read; 3536 ssize_t total_size = 0; 3537 const void *t; 3538 const char *s; 3539 void *p; 3540 3541 if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) { 3542 return (ARCHIVE_FATAL); 3543 } 3544 3545 t = __archive_read_ahead(a, 1, &bytes_read); 3546 if (bytes_read <= 0 || t == NULL) 3547 return (ARCHIVE_FATAL); 3548 s = t; /* Start of line? */ 3549 p = memchr(t, '\n', bytes_read); 3550 /* If we found '\n' in the read buffer, return pointer to that. */ 3551 if (p != NULL) { 3552 bytes_read = 1 + ((const char *)p) - s; 3553 if (bytes_read > limit) { 3554 archive_set_error(&a->archive, 3555 ARCHIVE_ERRNO_FILE_FORMAT, 3556 "Line too long"); 3557 return (ARCHIVE_FATAL); 3558 } 3559 *unconsumed = bytes_read; 3560 *start = s; 3561 return (bytes_read); 3562 } 3563 *unconsumed = bytes_read; 3564 /* Otherwise, we need to accumulate in a line buffer. */ 3565 for (;;) { 3566 if (total_size + bytes_read > limit) { 3567 archive_set_error(&a->archive, 3568 ARCHIVE_ERRNO_FILE_FORMAT, 3569 "Line too long"); 3570 return (ARCHIVE_FATAL); 3571 } 3572 if (archive_string_ensure(&tar->line, total_size + bytes_read) == NULL) { 3573 archive_set_error(&a->archive, ENOMEM, 3574 "Can't allocate working buffer"); 3575 return (ARCHIVE_FATAL); 3576 } 3577 memcpy(tar->line.s + total_size, t, bytes_read); 3578 tar_flush_unconsumed(a, unconsumed); 3579 total_size += bytes_read; 3580 /* If we found '\n', clean up and return. */ 3581 if (p != NULL) { 3582 *start = tar->line.s; 3583 return (total_size); 3584 } 3585 /* Read some more. */ 3586 t = __archive_read_ahead(a, 1, &bytes_read); 3587 if (bytes_read <= 0 || t == NULL) 3588 return (ARCHIVE_FATAL); 3589 s = t; /* Start of line? */ 3590 p = memchr(t, '\n', bytes_read); 3591 /* If we found '\n', trim the read. */ 3592 if (p != NULL) { 3593 bytes_read = 1 + ((const char *)p) - s; 3594 } 3595 *unconsumed = bytes_read; 3596 } 3597 } 3598 3599 /* 3600 * base64_decode - Base64 decode 3601 * 3602 * This accepts most variations of base-64 encoding, including: 3603 * * with or without line breaks 3604 * * with or without the final group padded with '=' or '_' characters 3605 * (The most economical Base-64 variant does not pad the last group and 3606 * omits line breaks; RFC1341 used for MIME requires both.) 3607 */ 3608 static char * 3609 base64_decode(const char *s, size_t len, size_t *out_len) 3610 { 3611 static const unsigned char digits[64] = { 3612 'A','B','C','D','E','F','G','H','I','J','K','L','M','N', 3613 'O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b', 3614 'c','d','e','f','g','h','i','j','k','l','m','n','o','p', 3615 'q','r','s','t','u','v','w','x','y','z','0','1','2','3', 3616 '4','5','6','7','8','9','+','/' }; 3617 static unsigned char decode_table[128]; 3618 char *out, *d; 3619 const unsigned char *src = (const unsigned char *)s; 3620 3621 /* If the decode table is not yet initialized, prepare it. */ 3622 if (decode_table[digits[1]] != 1) { 3623 unsigned i; 3624 memset(decode_table, 0xff, sizeof(decode_table)); 3625 for (i = 0; i < sizeof(digits); i++) 3626 decode_table[digits[i]] = i; 3627 } 3628 3629 /* Allocate enough space to hold the entire output. */ 3630 /* Note that we may not use all of this... */ 3631 out = malloc(len - len / 4 + 1); 3632 if (out == NULL) { 3633 *out_len = 0; 3634 return (NULL); 3635 } 3636 d = out; 3637 3638 while (len > 0) { 3639 /* Collect the next group of (up to) four characters. */ 3640 int v = 0; 3641 int group_size = 0; 3642 while (group_size < 4 && len > 0) { 3643 /* '=' or '_' padding indicates final group. */ 3644 if (*src == '=' || *src == '_') { 3645 len = 0; 3646 break; 3647 } 3648 /* Skip illegal characters (including line breaks) */ 3649 if (*src > 127 || *src < 32 3650 || decode_table[*src] == 0xff) { 3651 len--; 3652 src++; 3653 continue; 3654 } 3655 v <<= 6; 3656 v |= decode_table[*src++]; 3657 len --; 3658 group_size++; 3659 } 3660 /* Align a short group properly. */ 3661 v <<= 6 * (4 - group_size); 3662 /* Unpack the group we just collected. */ 3663 switch (group_size) { 3664 case 4: d[2] = v & 0xff; 3665 /* FALLTHROUGH */ 3666 case 3: d[1] = (v >> 8) & 0xff; 3667 /* FALLTHROUGH */ 3668 case 2: d[0] = (v >> 16) & 0xff; 3669 break; 3670 case 1: /* this is invalid! */ 3671 break; 3672 } 3673 d += group_size * 3 / 4; 3674 } 3675 3676 *out_len = d - out; 3677 return (out); 3678 } 3679 3680 static char * 3681 url_decode(const char *in, size_t length) 3682 { 3683 char *out, *d; 3684 const char *s; 3685 3686 out = malloc(length + 1); 3687 if (out == NULL) 3688 return (NULL); 3689 for (s = in, d = out; length > 0 && *s != '\0'; ) { 3690 if (s[0] == '%' && length > 2) { 3691 /* Try to convert % escape */ 3692 int digit1 = tohex(s[1]); 3693 int digit2 = tohex(s[2]); 3694 if (digit1 >= 0 && digit2 >= 0) { 3695 /* Looks good, consume three chars */ 3696 s += 3; 3697 length -= 3; 3698 /* Convert output */ 3699 *d++ = ((digit1 << 4) | digit2); 3700 continue; 3701 } 3702 /* Else fall through and treat '%' as normal char */ 3703 } 3704 *d++ = *s++; 3705 --length; 3706 } 3707 *d = '\0'; 3708 return (out); 3709 } 3710 3711 static int 3712 tohex(int c) 3713 { 3714 if (c >= '0' && c <= '9') 3715 return (c - '0'); 3716 else if (c >= 'A' && c <= 'F') 3717 return (c - 'A' + 10); 3718 else if (c >= 'a' && c <= 'f') 3719 return (c - 'a' + 10); 3720 else 3721 return (-1); 3722 } 3723