On 2025-03-04 22:12, Evgeniy Gorbanev via tz wrote:
Hello!
IfoundthatifI runzictocreatea linkonanotherdevice, the
bufferoverflowinzip.c:1422inversion2025awill occur. Inthislinei==0.
The commandtoreplay: ./zic -l test -d . -t /path/to/
link_on_another_device Best regards, Evgeniy Gorbanyov
Unfortunately your message was corrupted somehow. The above is what I
see, and it's hard to make sense of it. Among other things there is no
file zip.c in the TZDB source. Also, surely you're not trying to use zic
in that way; you want to do something else but I don't know what the
"something else" is.
Please give instructions for how to reproduce the bug from scratch,
including the platform you're running on.
I tried to reproduce the problem as follows, on Ubuntu 24.10 x86-64, but
the following seemed to work without any buffer overflow:
$ wget https://data.iana.org/time-zones/releases/tzdb-2025a.tar.lz
$ tar xf tzdb-2025a.tar.lz
$ cd tzdb-2025a
$ make CFLAGS='-fsanitize=address'
$ touch test
$ ./zic -l test -d . -t /tmp/another-file-system
The last command outputs:
warning: "command line", line 1: symbolic link used because hard link
failed: Invalid cross-device link
and creates a symlink as follows:
$ ls -l /tmp/another-file-system
lrwxrwxrwx 1 eggert eggert 6 Mar 5 11:28 /tmp/another-file-system ->
./test
... a dangling symbolic link, but then the zic command itself doesn't
make much sense.
