On 4/8/21 12:47 AM, Ondrej Dubaj wrote:
diff --git a/src/tar.c b/src/tar.c
index 99ef8a2..a5873e7 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -146,6 +146,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr,
int out_des)
name_len = strlen (file_hdr->c_name);
if (name_len <= TARNAMESIZE)
{
+ memset(tar_hdr->name, '\0', name_len+1);
strncpy (tar_hdr->name, file_hdr->c_name, name_len);
}
else
This fix isn't right incorrect. The 'name' array is not necessarily null
terminated; see
<https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_18_03>.
This unusual data structure is exactly what strncpy is designed for.
Coverity has a horror of strncpy, understandably so since strncpy is so
often misused. But it's being used correctly here, and in the other
places that your email proposed patches for.
Coverity's utimenes warning is reasonable even though the code was
technically correct. As discussed in my previous email that should be
fixed in Gnulib now. The other cpio warnings all appear to be false alarms.
