From 6f02669c7ba8da9d9bd0592b8c4f87f399e60061 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org.ua>
Date: Mon, 8 Mar 2010 12:27:23 +0200
Subject: [PATCH] Fix eventual memory override and fd exhaustion in create.c
 Both bugs reported by Kamil Dudka.

* src/create.c (check_exclusion_tags): Do not keep
pointer to a location within tagname: it may change
after xrealloc. Use byte offset instead.
(dump_file0): Close fd before returning without
dumping the directory.
---
 src/create.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/create.c b/src/create.c
index 209e428..c69d340 100644
--- a/src/create.c
+++ b/src/create.c
@@ -79,7 +79,7 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
   struct exclusion_tag *tag;
   size_t dlen = strlen (dirname);
   int addslash = dirname[dlen-1] != '/';
-  char *nptr = NULL;
+  size_t noff = 0;
   
   for (tag = exclusion_tags; tag; tag = tag->next)
     {
@@ -90,14 +90,14 @@ check_exclusion_tags (const char *dirname, const char **tag_file_name)
 	  tagname = xrealloc (tagname, tagsize);
 	}
 
-      if (!nptr)
+      if (noff == 0)
 	{
 	  strcpy (tagname, dirname);
-	  nptr = tagname + dlen;
+	  noff = dlen;
 	  if (addslash)
-	    *nptr++ = '/';
+	    tagname[noff++] = '/';
 	}
-      strcpy (nptr, tag->name);
+      strcpy (tagname + noff, tag->name);
       if (access (tagname, F_OK) == 0
 	  && (!tag->predicate || tag->predicate (tagname)))
 	{
@@ -1591,6 +1591,8 @@ dump_file0 (struct tar_stat_info *st, const char *p,
 	    {
 	      exclusion_tag_warning (st->orig_file_name, tag_file_name,
 				     _("directory not dumped"));
+	      if (fd >= 0)
+		close (fd);
 	      return;
 	    }
 	  
-- 
1.6.5