Bug fix for segfault #105

usefulcat · 2022-08-29T20:18:46Z

In read_thread(), in the "Do we need this block?" block, it failed
to advance to the next wanted_t when w->end is exactly equal to uend.

In the particular case I looked at, this resulted in read_thread()
erroneously putting two blocks into the queue (pipeline_split(),
read.c:570) instead of one.

This resulted in a subsequent crash in tar_read() at read.c:660,
where gArWanted was null (when clearly the code does not expect it
to be null at that point).

My use case:

I have several hundred large .tar.xz files (created by pixz). Each
archive contains over 200k files. I frequently need to extract a lot
of files from each archive, but not all files, only a specific subset.
So I am making heavy use of the -x option to pixz.

In read_thread(), in the "Do we need this block?" block, it failed to advance to the next wanted_t when w->end is exactly equal to uend. In the particular case I looked at, this resulted in read_thread() erroneously putting two blocks into the queue (pipeline_split(), read.c:570) instead of one. This resulted in a subsequent crash in tar_read() at read.c:660, where gArWanted was null (when clearly the code does not expect it to be null at that point). My use case: I have several hundred large .tar.xz files (created by pixz). Each archive contains over 200k files. I frequently need to extract a lot of files from each archive, but not all files, only a specific subset. So I am making heavy use of the -x option to pixz.

Don't hold queue mutex while calling malloc/free

usefulcat · 2023-05-05T14:27:53Z

Update: I've been using this fix for over 8 months so far with no problems.

xkszltl · 2023-09-13T06:48:12Z

src/read.c

@@ -536,7 +536,7 @@ static void read_thread(void) {
                debug("read: skip %llu", iter.block.number_in_file);
                continue;
            }
-            for ( ; w && w->end < uend; w = w->next) ;
+            for ( ; w && w->end <= uend; w = w->next) ;


Does it make sense to have <= here together with the >= in the if condition above?

nvm that's start, I think this makes sense.

xkszltl · 2023-09-13T08:39:35Z

We run into the same issue on Ubuntu 22.04 with its stock pixz 1.0.7, where pixz -x path -i file.txz segfault after printing out most of the file content.
Did some debugging with gdb and found the same root cause, i.e. gArWanted = 0x0 in tar_read().
This bug would be triggered whenever a file end aligns with block boundary.

It's also unsafe to assume, in tar_read(), every block has at least one file from gArWanted to pair with.
Better to early return as well.

@vasi
Could you take a look?
I think this PR should be merged.

xkszltl · 2023-09-13T08:42:35Z

We also confirmed the crash on that particular file can be mitigated by:

Add -f 3.0 to move the block boundary
Append another -x next_path to include more blocks.

usefulcat added 2 commits August 29, 2022 14:48

minor optimization

57d9add

Don't hold queue mutex while calling malloc/free

usefulcat mentioned this pull request Sep 9, 2022

Crash when using -x option #106

Closed

xkszltl reviewed Sep 13, 2023

View reviewed changes

vasi merged commit 8155add into vasi:master Sep 13, 2023

dotysan mentioned this pull request Apr 16, 2024

any plans for another release soon? #116

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug fix for segfault #105

Bug fix for segfault #105

usefulcat commented Aug 29, 2022

usefulcat commented May 5, 2023

xkszltl Sep 13, 2023 •

edited

Loading

xkszltl Sep 13, 2023

xkszltl commented Sep 13, 2023

xkszltl commented Sep 13, 2023

Bug fix for segfault #105

Bug fix for segfault #105

Conversation

usefulcat commented Aug 29, 2022

usefulcat commented May 5, 2023

xkszltl Sep 13, 2023 • edited Loading

Choose a reason for hiding this comment

xkszltl Sep 13, 2023

Choose a reason for hiding this comment

xkszltl commented Sep 13, 2023

xkszltl commented Sep 13, 2023

xkszltl Sep 13, 2023 •

edited

Loading