bsdtar core dumps

Sean McNeil sean at
Thu Aug 19 14:37:29 PDT 2004

On Tue, 2004-08-17 at 14:38, Giorgos Keramidas wrote:
> On 2004-08-17 14:19, Sean McNeil <sean at> wrote:
> > Don't think this is amd64-specific, but perhaps....
> It could be.  Or it might be a recent change that I haven't caught up
> with yet at home (see below).
> > I just tried to unarchive a file that didn't exist and got a core dump:
> > tar zxvvf nonexistent.tar.gz
> $ sysctl hw.machine_arch
> hw.machine_arch: i386
> $ tar zxvvf nonexistent.tar.gz
> tar: Error opening archive: Failed to open 'nonexistent.tar.gz': No such file or directory
> $ uname -v
> FreeBSD 5.2-CURRENT #0: Sun Aug 15 23:21:29 EEST 2004     \
> sysop at
> If versions of bsdtar more recent than Sunday night (around 19:00 UTC)
> all exhibit this problem, look for a recent change that causes this.
> - Giorgos

Here is a backtrace of the error:

#0  0x0000000200926d7e in __vfprintf (fp=0x7fffffffe360,
    fmt0=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
    at /usr/src/lib/libc/stdio/vfprintf.c:1052
#1  0x00000002008c4006 in vsnprintf (str=0x32 <Address 0x32 out of bounds>,
    n=4284889, fmt=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
    at /usr/src/lib/libc/stdio/vsnprintf.c:75
#2  0x0000000000411478 in __archive_string_vsprintf (as=0x520240,
    fmt=0x4161d9 "Failed to open '%s'", ap=0x7fffffffe640)
    at /usr/src/lib/libarchive/archive_string_sprintf.c:60
#3  0x00000000004112f5 in archive_set_error (a=0x520000, error_number=2,
    fmt=0x0) at /usr/src/lib/libarchive/archive_util.c:133
#4  0x00000000004080cd in file_open (a=0x520000, client_data=0x4161d9)
    at /usr/src/lib/libarchive/archive_read_open_file.c:90
#5  0x0000000000411639 in archive_read_open (a=0x520000, client_data=0x51e0c0,
    opener=0x408060 <file_open>, reader=0x408130 <file_read>,
    closer=0x408160 <file_close>) at /usr/src/lib/libarchive/archive_read.c:124
#6  0x0000000000408039 in archive_read_open_file (a=0x520000,
    filename=0x7fffffffec02 "nonexistent.tar.gz", block_size=10240)
    at /usr/src/lib/libarchive/archive_read_open_file.c:75
#7  0x0000000000403a90 in read_archive (bsdtar=0x7fffffffe8b0, mode=120 'x')
    at /usr/src/usr.bin/tar/read.c:86
#8  0x000000000040398e in tar_mode_x (bsdtar=0x32)
    at /usr/src/usr.bin/tar/read.c:62
#9  0x0000000000402e1a in main (argc=7, argv=0xffffffff)
    at /usr/src/usr.bin/tar/bsdtar.c:525

Looks like something wrote past the end of a buffer as the str argument
to vsnprintf is not correct.

(gdb) p *as
$8 = {s = 0x51e100 "", length = 0, buffer_length = 64}

should be

str=0x51e100, n=0

and on the callback trace it is

str=0x32 <Address 0x32 out of bounds>, n=4284889

Could be a compiler bug I suppose, but more likely I think it is this

	if (n == 0) {
		if (on > 0)
	  		*str = '\0';
		str = dummy;
		n = 1;

in vsnprintf.c::vsnprintf.  It doesn't make sense to me.  I think it
should be

if (n == 0) {
	str = dummy;
	*str = '\0';
	n = 1;

It seems very inappropriate to be messing with an input parameter like
that and then using an uninitialized string in it's place.


More information about the freebsd-current mailing list