diff --git a/SOURCES/cpio-2.12-improper-input-validation.patch b/SOURCES/cpio-2.12-improper-input-validation.patch
index 25c0b4c..ae75da5 100644
--- a/SOURCES/cpio-2.12-improper-input-validation.patch
+++ b/SOURCES/cpio-2.12-improper-input-validation.patch
@@ -65,7 +65,7 @@ index e2b5f45..53dc99a 100644
while (digits > 0 && value != 0);
+ if (value > 0)
+ {
-+ error (0, 0, _("%s: field width not sufficient for storing %s"),
++ error (1, 0, _("%s: field width not sufficient for storing %s"),
+ filename, fieldname);
+ return 1;
+ }
diff --git a/SOURCES/cpio-2.13-CVE-2021-38185.patch b/SOURCES/cpio-2.13-CVE-2021-38185.patch
new file mode 100644
index 0000000..556959c
--- /dev/null
+++ b/SOURCES/cpio-2.13-CVE-2021-38185.patch
@@ -0,0 +1,1266 @@
+From be54882039632c791493d3657042f7ea9d6f4a20 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 21 Sep 2021 11:42:02 +0200
+Subject: [PATCH] * src/dstring.c (ds_init): Take a single argument.
+ (ds_free): New function. (ds_resize): Take a single argument. Use
+ x2nrealloc to expand the storage.
+ (ds_reset,ds_append,ds_concat,ds_endswith): New function. (ds_fgetstr):
+ Rewrite. In particular, this fixes integer overflow. (ds_resize): Take
+ additional argument: number of bytes to leave available after ds_idx. All
+ uses changed. * src/dstring.h (dynamic_string): Keep both the allocated
+ length (ds_size) and index of the next free byte in the string (ds_idx).
+ (ds_init,ds_resize): Change signature. (ds_len): New macro.
+ (ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. *
+ src/copyin.c: Use new ds_ functions. (read_name_from_file): Handle len == 0.
+ (read_name_from_file): Print error message and skip file if its name is not
+ nul-terminated. (long_format): Cast rdev numbers to unsigned long *
+ src/copyout.c: Likewise. * src/copypass.c: Likewise. * src/util.c: Likewise.
+ (tape_empty_output_buffer): Fix condition. * src/idcache.c
+ (getuser,getgroup): Use umaxtostr instead of sprintf. * src/userspec.c
+ (parse_user_spec): Likewise.
+
+---
+ configure.ac | 4 +-
+ src/copyin.c | 228 ++++++++++++++++++-------------------------------
+ src/copyout.c | 77 +++++++++--------
+ src/copypass.c | 34 ++++----
+ src/cpiohdr.h | 9 +-
+ src/dstring.c | 89 +++++++++++++------
+ src/dstring.h | 30 +++----
+ src/extern.h | 22 +++--
+ src/idcache.c | 11 ++-
+ src/makepath.c | 2 +-
+ src/userspec.c | 9 +-
+ src/util.c | 53 +++++++++---
+ 12 files changed, 294 insertions(+), 274 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c68bd44..49eaacd 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -21,8 +21,8 @@ AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],,
+ AC_CONFIG_SRCDIR(src/cpio.h)
+ AC_CONFIG_AUX_DIR([build-aux])
+ AC_CONFIG_HEADERS([config.h])
+-AC_PREREQ([2.63])
+-AM_INIT_AUTOMAKE([1.11.1 gnits tar-ustar dist-bzip2 std-options silent-rules])
++AC_PREREQ([2.64])
++AM_INIT_AUTOMAKE([1.15 gnits tar-ustar dist-bzip2 std-options silent-rules])
+
+ # Enable silent rules by default:
+ AM_SILENT_RULES([yes])
+diff --git a/src/copyin.c b/src/copyin.c
+index 267ed4b..2f9da73 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -56,10 +56,10 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
+ static dynamic_string new_name; /* New file name for rename option. */
+ static int initialized_new_name = false;
+ if (!initialized_new_name)
+- {
+- ds_init (&new_name, 128);
+- initialized_new_name = true;
+- }
++ {
++ ds_init (&new_name);
++ initialized_new_name = true;
++ }
+
+ if (rename_flag)
+ {
+@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
+ return -1;
+ }
+ else
+- /* Debian hack: file_hrd.c_name is sometimes set to
+- point to static memory by code in tar.c. This
+- causes a segfault. This has been fixed and an
+- additional check to ensure that the file name
+- is not too long has been added. (Reported by
+- Horst Knobloch.) This bug has been reported to
+- "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
+- {
+- if (archive_format != arf_tar && archive_format != arf_ustar)
+- {
+- free (file_hdr->c_name);
+- file_hdr->c_name = xstrdup (new_name.ds_string);
+- }
+- else
+- {
+- if (is_tar_filename_too_long (new_name.ds_string))
+- error (0, 0, _("%s: file name too long"),
+- new_name.ds_string);
+- else
+- strcpy (file_hdr->c_name, new_name.ds_string);
+- }
+- }
++ cpio_set_c_name (file_hdr, new_name.ds_string);
+ return 0;
+ }
+ �
+@@ -173,10 +152,8 @@ list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ }
+ else
+ {
+- /* Debian hack: Modified to print a list of filenames
+- terminiated by a null character when the -t and -0
+- flags are used. This has been submitted as a
+- suggestion to "bug-gnu-utils@prep.ai.mit.edu". -BEM */
++ /* Print out the name as it is. The name_end delimiter is normally
++ '\n', but can be reset to '\0' by the -0 option. */
+ printf ("%s%c", file_hdr->c_name, name_end);
+ }
+
+@@ -201,7 +178,7 @@ list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ �
+ static int
+ try_existing_file (struct cpio_file_stat* file_hdr, int in_file_des,
+- int *existing_dir)
++ bool *existing_dir)
+ {
+ struct stat file_stat;
+
+@@ -344,8 +321,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
+ d_prev->next = d->next;
+ else
+ deferments = d->next;
+- free (file_hdr->c_name);
+- file_hdr->c_name = xstrdup(d->header.c_name);
++ cpio_set_c_name (file_hdr, d->header.c_name);
+ free_deferment (d);
+ copyin_regular_file(file_hdr, in_file_des);
+ return 0;
+@@ -697,7 +673,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+- int existing_dir;
++ bool existing_dir = false;
+
+ if (!to_stdout_option
+ && try_existing_file (file_hdr, in_file_des, &existing_dir) < 0)
+@@ -748,7 +724,7 @@ static time_t current_time;
+ this file is a symbolic link to. */
+
+ void
+-long_format (struct cpio_file_stat *file_hdr, char *link_name)
++long_format (struct cpio_file_stat *file_hdr, char const *link_name)
+ {
+ char mbuf[11];
+ char tbuf[40];
+@@ -780,92 +756,42 @@ long_format (struct cpio_file_stat *file_hdr, char *link_name)
+
+ if ((file_hdr->c_mode & CP_IFMT) == CP_IFCHR
+ || (file_hdr->c_mode & CP_IFMT) == CP_IFBLK)
+- printf ("%3lu, %3lu ", file_hdr->c_rdev_maj,
+- file_hdr->c_rdev_min);
++ printf ("%3lu, %3lu ",
++ (unsigned long) file_hdr->c_rdev_maj,
++ (unsigned long) file_hdr->c_rdev_min);
+ else
+ printf ("%8"PRIuMAX" ", (uintmax_t) file_hdr->c_filesize);
+
+ printf ("%s ", tbuf + 4);
+
+- print_name_with_quoting (file_hdr->c_name);
++ printf ("%s", quotearg (file_hdr->c_name));
+ if (link_name)
+ {
+ printf (" -> ");
+- print_name_with_quoting (link_name);
++ printf ("%s", quotearg (link_name));
+ }
+ putc ('\n', stdout);
+ }
+
+-void
+-print_name_with_quoting (register char *p)
+-{
+- register unsigned char c;
+-
+- while ( (c = *p++) )
+- {
+- switch (c)
+- {
+- case '\\':
+- printf ("\\\\");
+- break;
+-
+- case '\n':
+- printf ("\\n");
+- break;
+-
+- case '\b':
+- printf ("\\b");
+- break;
+-
+- case '\r':
+- printf ("\\r");
+- break;
+-
+- case '\t':
+- printf ("\\t");
+- break;
+-
+- case '\f':
+- printf ("\\f");
+- break;
+-
+- case ' ':
+- printf ("\\ ");
+- break;
+-
+- case '"':
+- printf ("\\\"");
+- break;
+-
+- default:
+- if (c > 040 && c < 0177)
+- putchar (c);
+- else
+- printf ("\\%03o", (unsigned int) c);
+- }
+- }
+-}
+-
+ /* Read a pattern file (for the -E option). Put a list of
+ `num_patterns' elements in `save_patterns'. Any patterns that were
+ already in `save_patterns' (from the command line) are preserved. */
+
+ static void
+-read_pattern_file ()
++read_pattern_file (void)
+ {
+- int max_new_patterns;
+- char **new_save_patterns;
+- int new_num_patterns;
++ char **new_save_patterns = NULL;
++ size_t max_new_patterns;
++ size_t new_num_patterns;
+ int i;
+- dynamic_string pattern_name;
++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER;
+ FILE *pattern_fp;
+
+ if (num_patterns < 0)
+ num_patterns = 0;
+- max_new_patterns = 1 + num_patterns;
+- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *));
+ new_num_patterns = num_patterns;
+- ds_init (&pattern_name, 128);
++ max_new_patterns = num_patterns;
++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0]));
+
+ pattern_fp = fopen (pattern_file_name, "r");
+ if (pattern_fp == NULL)
+@@ -874,16 +800,16 @@ read_pattern_file ()
+ {
+ while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL)
+ {
+- if (new_num_patterns >= max_new_patterns)
+- {
+- max_new_patterns += 1;
+- new_save_patterns = (char **)
+- xrealloc ((char *) new_save_patterns,
+- max_new_patterns * sizeof (char *));
+- }
++ if (new_num_patterns == max_new_patterns)
++ new_save_patterns = x2nrealloc (new_save_patterns,
++ &max_new_patterns,
++ sizeof (new_save_patterns[0]));
+ new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string);
+ ++new_num_patterns;
+ }
++
++ ds_free (&pattern_name);
++
+ if (ferror (pattern_fp) || fclose (pattern_fp) == EOF)
+ close_error (pattern_file_name);
+ }
+@@ -1066,6 +992,27 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
+ }
+ }
+
++static void
++read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
++{
++ if (len == 0)
++ {
++ error (0, 0, _("malformed header: file name of zero length"));
++ }
++ else
++ {
++ cpio_realloc_c_name (file_hdr, len);
++ tape_buffered_read (file_hdr->c_name, fd, len);
++ if (file_hdr->c_name[len-1] != 0)
++ {
++ error (0, 0, _("malformed header: file name is not nul-terminated"));
++ /* Skip this file */
++ len = 0;
++ }
++ }
++ file_hdr->c_namesize = len;
++}
++
+ /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
+ file descriptor IN_DES, except for the magic number, which is
+ already filled in. */
+@@ -1092,14 +1039,9 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
+ file_hdr->c_rdev_min = minor (dev);
+
+ file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
+- file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
+ file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
+
+- /* Read file name from input. */
+- if (file_hdr->c_name != NULL)
+- free (file_hdr->c_name);
+- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
+- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++ read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
+
+ /* HP/UX cpio creates archives that look just like ordinary archives,
+ but for devices it sets major = 0, minor = 1, and puts the
+@@ -1154,14 +1096,9 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
+ file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
+ file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
+ file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
+- file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
+ file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
+
+- /* Read file name from input. */
+- if (file_hdr->c_name != NULL)
+- free (file_hdr->c_name);
+- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++ read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
+
+ /* In SVR4 ASCII format, the amount of space allocated for the header
+ is rounded up to the next long-word, so we might need to drop
+@@ -1209,16 +1146,10 @@ read_in_binary (struct cpio_file_stat *file_hdr,
+ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev);
+ file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
+ | short_hdr->c_mtimes[1];
+-
+- file_hdr->c_namesize = short_hdr->c_namesize;
+ file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
+ | short_hdr->c_filesizes[1];
+
+- /* Read file name from input. */
+- if (file_hdr->c_name != NULL)
+- free (file_hdr->c_name);
+- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++ read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
+
+ /* In binary mode, the amount of space allocated in the header for
+ the filename is `c_namesize' rounded up to the next short-word,
+@@ -1278,14 +1209,14 @@ swab_array (char *ptr, int count)
+ in the file system. */
+
+ void
+-process_copy_in ()
++process_copy_in (void)
+ {
+- char done = false; /* True if trailer reached. */
+ FILE *tty_in = NULL; /* Interactive file for rename option. */
+ FILE *tty_out = NULL; /* Interactive file for rename option. */
+ FILE *rename_in = NULL; /* Batch file for rename option. */
+ struct stat file_stat; /* Output file stat record. */
+- struct cpio_file_stat file_hdr; /* Output header information. */
++ struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
++ /* Output header information. */
+ int in_file_des; /* Input file descriptor. */
+ char skip_file; /* Flag for use with patterns. */
+ int i; /* Loop index variable. */
+@@ -1298,8 +1229,7 @@ process_copy_in ()
+ {
+ read_pattern_file ();
+ }
+- file_hdr.c_name = NULL;
+-
++ file_hdr.c_namesize = 0;
+ if (rename_batch_file)
+ {
+ rename_in = fopen (rename_batch_file, "r");
+@@ -1352,7 +1282,7 @@ process_copy_in ()
+ change_dir ();
+
+ /* While there is more input in the collection, process the input. */
+- while (!done)
++ while (1)
+ {
+ swapping_halfwords = swapping_bytes = false;
+
+@@ -1380,30 +1310,32 @@ process_copy_in ()
+
+ }
+ #endif
+- /* Is this the header for the TRAILER file? */
+- if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0)
++ if (file_hdr.c_namesize == 0)
++ skip_file = true;
++ else
+ {
+- done = true;
+- break;
+- }
++ /* Is this the header for the TRAILER file? */
++ if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0)
++ break;
+
+- cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
+- false);
++ cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
++ false);
+
+- /* Does the file name match one of the given patterns? */
+- if (num_patterns <= 0)
+- skip_file = false;
+- else
+- {
+- skip_file = copy_matching_files;
+- for (i = 0; i < num_patterns
+- && skip_file == copy_matching_files; i++)
++ /* Does the file name match one of the given patterns? */
++ if (num_patterns <= 0)
++ skip_file = false;
++ else
+ {
+- if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0)
+- skip_file = !copy_matching_files;
++ skip_file = copy_matching_files;
++ for (i = 0; i < num_patterns
++ && skip_file == copy_matching_files; i++)
++ {
++ if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0)
++ skip_file = !copy_matching_files;
++ }
+ }
+ }
+-
++
+ if (skip_file)
+ {
+ /* If we're skipping a file with links, there might be other
+@@ -1494,6 +1426,8 @@ process_copy_in ()
+ fputc ('\n', stderr);
+
+ apply_delayed_set_stat ();
++
++ cpio_file_stat_free (&file_hdr);
+
+ if (append_flag)
+ return;
+diff --git a/src/copyout.c b/src/copyout.c
+index 56416ba..a576f27 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -269,26 +269,32 @@ writeout_final_defers (int out_des)
+ so it should be moved to paxutils too.
+ Allowed values for logbase are: 1 (binary), 2, 3 (octal), 4 (hex) */
+ int
+-to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase)
++to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, bool nul)
+ {
+ static char codetab[] = "0123456789ABCDEF";
+- int i = digits;
+
+- do
++ if (nul)
++ where[--digits] = 0;
++ while (digits > 0)
+ {
+- where[--i] = codetab[(v & ((1 << logbase) - 1))];
++ where[--digits] = codetab[(v & ((1 << logbase) - 1))];
+ v >>= logbase;
+ }
+- while (i);
+
+ return v != 0;
+ }
+
+-static void
+-field_width_error (const char *filename, const char *fieldname)
++void
++field_width_error (const char *filename, const char *fieldname,
++ uintmax_t value, size_t width, bool nul)
+ {
+- error (1, 0, _("%s: field width not sufficient for storing %s"),
+- filename, fieldname);
++ char valbuf[UINTMAX_STRSIZE_BOUND + 1];
++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"),
++ filename, fieldname,
++ STRINGIFY_BIGINT (value, valbuf),
++ STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8),
++ maxbuf));
+ }
+
+ static void
+@@ -303,7 +309,7 @@ to_ascii_or_warn (char *where, uintmax_t n, size_t digits,
+ unsigned logbase,
+ const char *filename, const char *fieldname)
+ {
+- if (to_ascii (where, n, digits, logbase))
++ if (to_ascii (where, n, digits, logbase, false))
+ field_width_warning (filename, fieldname);
+ }
+
+@@ -312,9 +318,9 @@ to_ascii_or_error (char *where, uintmax_t n, size_t digits,
+ unsigned logbase,
+ const char *filename, const char *fieldname)
+ {
+- if (to_ascii (where, n, digits, logbase))
++ if (to_ascii (where, n, digits, logbase, false))
+ {
+- field_width_error (filename, fieldname);
++ field_width_error (filename, fieldname, n, digits, false);
+ return 1;
+ }
+ return 0;
+@@ -371,7 +377,7 @@ write_out_new_ascii_header (const char *magic_string,
+ _("name size")))
+ return 1;
+ p += 8;
+- to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16);
++ to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16, false);
+
+ tape_buffered_write (ascii_header, out_des, sizeof ascii_header);
+
+@@ -388,7 +394,7 @@ write_out_old_ascii_header (dev_t dev, dev_t rdev,
+ char ascii_header[76];
+ char *p = ascii_header;
+
+- to_ascii (p, file_hdr->c_magic, 6, LG_8);
++ to_ascii (p, file_hdr->c_magic, 6, LG_8, false);
+ p += 6;
+ to_ascii_or_warn (p, dev, 6, LG_8, file_hdr->c_name, _("device number"));
+ p += 6;
+@@ -492,7 +498,10 @@ write_out_binary_header (dev_t rdev,
+ short_hdr.c_namesize = file_hdr->c_namesize & 0xFFFF;
+ if (short_hdr.c_namesize != file_hdr->c_namesize)
+ {
+- field_width_error (file_hdr->c_name, _("name size"));
++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++ error (1, 0, _("%s: value %s %s out of allowed range 0..%u"),
++ file_hdr->c_name, _("name size"),
++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFu);
+ return 1;
+ }
+
+@@ -502,7 +511,10 @@ write_out_binary_header (dev_t rdev,
+ if (((off_t)short_hdr.c_filesizes[0] << 16) + short_hdr.c_filesizes[1]
+ != file_hdr->c_filesize)
+ {
+- field_width_error (file_hdr->c_name, _("file size"));
++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++ error (1, 0, _("%s: value %s %s out of allowed range 0..%lu"),
++ file_hdr->c_name, _("file size"),
++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFFFFFlu);
+ return 1;
+ }
+
+@@ -582,17 +594,18 @@ assign_string (char **pvar, char *value)
+ The format of the header depends on the compatibility (-c) flag. */
+
+ void
+-process_copy_out ()
++process_copy_out (void)
+ {
+- dynamic_string input_name; /* Name of file read from stdin. */
++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of file read from stdin. */
+ struct stat file_stat; /* Stat record for file. */
+- struct cpio_file_stat file_hdr; /* Output header information. */
++ struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
++ /* Output header information. */
+ int in_file_des; /* Source file descriptor. */
+ int out_file_des; /* Output file descriptor. */
+ char *orig_file_name = NULL;
+
+ /* Initialize the copy out. */
+- ds_init (&input_name, 128);
+ file_hdr.c_magic = 070707;
+
+ /* Check whether the output file might be a tape. */
+@@ -644,14 +657,9 @@ process_copy_out ()
+ {
+ if (file_hdr.c_mode & CP_IFDIR)
+ {
+- int len = strlen (input_name.ds_string);
+ /* Make sure the name ends with a slash */
+- if (input_name.ds_string[len-1] != '/')
+- {
+- ds_resize (&input_name, len + 2);
+- input_name.ds_string[len] = '/';
+- input_name.ds_string[len+1] = 0;
+- }
++ if (!ds_endswith (&input_name, '/'))
++ ds_append (&input_name, '/');
+ }
+ }
+
+@@ -659,8 +667,7 @@ process_copy_out ()
+ cpio_safer_name_suffix (input_name.ds_string, false,
+ !no_abs_paths_flag, true);
+ #ifndef HPUX_CDF
+- file_hdr.c_name = input_name.ds_string;
+- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
++ cpio_set_c_name (&file_hdr, input_name.ds_string);
+ #else
+ if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
+ {
+@@ -669,16 +676,15 @@ process_copy_out ()
+ properly recreate the directory as hidden (in case the
+ files of a directory go into the archive before the
+ directory itself (e.g from "find ... -depth ... | cpio")). */
+- file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
+- file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
++ cpio_set_c_name (&file_hdr,
++ add_cdf_double_slashes (input_name.ds_string));
+ }
+ else
+ {
+ /* We don't mark CDF's in tar files. We assume the "hidden"
+ directory will always go into the archive before any of
+ its files. */
+- file_hdr.c_name = input_name.ds_string;
+- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
++ cpio_set_c_name (&file_hdr, input_name.ds_string);
+ }
+ #endif
+
+@@ -865,8 +871,7 @@ process_copy_out ()
+ file_hdr.c_chksum = 0;
+
+ file_hdr.c_filesize = 0;
+- file_hdr.c_namesize = 11;
+- file_hdr.c_name = CPIO_TRAILER_NAME;
++ cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ write_out_header (&file_hdr, out_file_des);
+ else
+@@ -884,6 +889,8 @@ process_copy_out ()
+ ngettext ("%lu block\n", "%lu blocks\n",
+ (unsigned long) blocks), (unsigned long) blocks);
+ }
++ cpio_file_stat_free (&file_hdr);
++ ds_free (&input_name);
+ }
+
+
+diff --git a/src/tar.c b/src/tar.c
+index 1b1156e..0a34845 100644
+--- a/src/tar.c
++++ b/src/tar.c
+@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+ if (null_block ((long *) &tar_rec, TARRECORDSIZE))
+ #endif
+ {
+- file_hdr->c_name = CPIO_TRAILER_NAME;
++ cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
+ return;
+ }
+ #if 0
+@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+ }
+
+ if (archive_format != arf_ustar)
+- file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
++ cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
+ else
+- file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
++ cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
++ tar_hdr->name));
++
+ file_hdr->c_nlink = 1;
+ file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
+ file_hdr->c_mode = file_hdr->c_mode & 07777;
+@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+ case AREGTYPE:
+ /* Old tar format; if the last char in filename is '/' then it is
+ a directory, otherwise it's a regular file. */
+- if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
++ if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
+ file_hdr->c_mode |= CP_IFDIR;
+ else
+ file_hdr->c_mode |= CP_IFREG;
+diff --git a/src/copypass.c b/src/copypass.c
+index b4e7169..8378a9b 100644
+--- a/src/copypass.c
++++ b/src/copypass.c
+@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st)
+ If `link_flag', link instead of copying. */
+
+ void
+-process_copy_pass ()
++process_copy_pass (void)
+ {
+- dynamic_string input_name; /* Name of file from stdin. */
+- dynamic_string output_name; /* Name of new file. */
++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of file from stdin. */
++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER;
++ /* Name of new file. */
+ size_t dirname_len; /* Length of `directory_name'. */
+ int res; /* Result of functions. */
+ char *slash; /* For moving past slashes in input name. */
+@@ -69,25 +71,19 @@ process_copy_pass ()
+ created files */
+
+ /* Initialize the copy pass. */
+- ds_init (&input_name, 128);
+
+ dirname_len = strlen (directory_name);
+ if (change_directory_option && !ISSLASH (directory_name[0]))
+ {
+ char *pwd = xgetcwd ();
+
+- dirname_len += strlen (pwd) + 1;
+- ds_init (&output_name, dirname_len + 2);
+- strcpy (output_name.ds_string, pwd);
+- strcat (output_name.ds_string, "/");
+- strcat (output_name.ds_string, directory_name);
++ ds_concat (&output_name, pwd);
++ ds_append (&output_name, '/');
+ }
+- else
+- {
+- ds_init (&output_name, dirname_len + 2);
+- strcpy (output_name.ds_string, directory_name);
+- }
+- output_name.ds_string[dirname_len] = '/';
++
++ ds_concat (&output_name, directory_name);
++ ds_append (&output_name, '/');
++ dirname_len = ds_len (&output_name);
+ output_is_seekable = true;
+
+ change_dir ();
+@@ -127,8 +123,8 @@ process_copy_pass ()
+ keep track of which directories in a path are "hidden". */
+ slash = add_cdf_double_slashes (slash);
+ #endif
+- ds_resize (&output_name, dirname_len + strlen (slash) + 2);
+- strcpy (output_name.ds_string + dirname_len + 1, slash);
++ ds_reset (&output_name, dirname_len);
++ ds_concat (&output_name, slash);
+
+ existing_dir = false;
+ if (lstat (output_name.ds_string, &out_file_stat) == 0)
+@@ -346,6 +342,8 @@ process_copy_pass ()
+ (unsigned long) blocks),
+ (unsigned long) blocks);
+ }
++ ds_free (&input_name);
++ ds_free (&output_name);
+ }
+ �
+ /* Try and create a hard link from FILE_NAME to another file
+@@ -385,7 +383,7 @@ link_to_maj_min_ino (char *file_name, int st_dev_maj, int st_dev_min,
+ is created, -1 otherwise. */
+
+ int
+-link_to_name (char *link_name, char *link_target)
++link_to_name (char const *link_name, char const *link_target)
+ {
+ int res = link (link_target, link_name);
+ if (res < 0 && create_dir_flag)
+diff --git a/src/cpiohdr.h b/src/cpiohdr.h
+index b29e6fb..aa4a8c4 100644
+--- a/src/cpiohdr.h
++++ b/src/cpiohdr.h
+@@ -126,8 +126,15 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
+ size_t c_namesize;
+ uint32_t c_chksum;
+ char *c_name;
+- char *c_tar_linkname;
++ size_t c_name_buflen;
++ char const *c_tar_linkname;
+ };
+
++#define CPIO_FILE_STAT_INITIALIZER \
++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, NULL }
++void cpio_file_stat_init (struct cpio_file_stat *file_hdr);
++void cpio_file_stat_free (struct cpio_file_stat *file_hdr);
++void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
++void cpio_realloc_c_name (struct cpio_file_stat *file_hdr, size_t len);
+
+ #endif /* cpiohdr.h */
+diff --git a/src/dstring.c b/src/dstring.c
+index 2e6b97b..b70d72e 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -22,37 +22,52 @@
+ #endif
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #if defined(HAVE_STRING_H) || defined(STDC_HEADERS)
+ #include <string.h>
+ #else
+ #include <strings.h>
+ #endif
+ #include "dstring.h"
+-
+-char *xmalloc (unsigned n);
+-char *xrealloc (char *p, unsigned n);
++#include <xalloc.h>
+
+ /* Initialiaze dynamic string STRING with space for SIZE characters. */
+
+ void
+-ds_init (dynamic_string *string, int size)
++ds_init (dynamic_string *string)
++{
++ memset (string, 0, sizeof *string);
++}
++
++/* Free the dynamic string storage. */
++
++void
++ds_free (dynamic_string *string)
+ {
+- string->ds_length = size;
+- string->ds_string = (char *) xmalloc (size);
++ free (string->ds_string);
+ }
+
+-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */
++/* Expand dynamic string STRING, if necessary. */
+
+ void
+-ds_resize (dynamic_string *string, int size)
++ds_resize (dynamic_string *string, size_t len)
+ {
+- if (size > string->ds_length)
++ while (len + string->ds_idx >= string->ds_size)
+ {
+- string->ds_length = size;
+- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size);
++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
++ 1);
+ }
+ }
+
++/* Reset the index of the dynamic string S to LEN. */
++
++void
++ds_reset (dynamic_string *s, size_t len)
++{
++ ds_resize (s, len);
++ s->ds_idx = len;
++}
++
+ /* Dynamic string S gets a string terminated by the EOS character
+ (which is removed) from file F. S will increase
+ in size during the function if the string from F is longer than
+@@ -63,34 +78,49 @@ ds_resize (dynamic_string *string, int size)
+ char *
+ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ {
+- int insize; /* Amount needed for line. */
+- int strsize; /* Amount allocated for S. */
+ int next_ch;
+
+ /* Initialize. */
+- insize = 0;
+- strsize = s->ds_length;
++ s->ds_idx = 0;
+
+ /* Read the input string. */
+- next_ch = getc (f);
+- while (next_ch != eos && next_ch != EOF)
++ while ((next_ch = getc (f)) != eos && next_ch != EOF)
+ {
+- if (insize >= strsize - 1)
+- {
+- ds_resize (s, strsize * 2 + 2);
+- strsize = s->ds_length;
+- }
+- s->ds_string[insize++] = next_ch;
+- next_ch = getc (f);
++ ds_resize (s, 0);
++ s->ds_string[s->ds_idx++] = next_ch;
+ }
+- s->ds_string[insize++] = '\0';
++ ds_resize (s, 0);
++ s->ds_string[s->ds_idx] = '\0';
+
+- if (insize == 1 && next_ch == EOF)
++ if (s->ds_idx == 0 && next_ch == EOF)
+ return NULL;
+ else
+ return s->ds_string;
+ }
+
++void
++ds_append (dynamic_string *s, int c)
++{
++ ds_resize (s, 0);
++ s->ds_string[s->ds_idx] = c;
++ if (c)
++ {
++ s->ds_idx++;
++ ds_resize (s, 0);
++ s->ds_string[s->ds_idx] = 0;
++ }
++}
++
++void
++ds_concat (dynamic_string *s, char const *str)
++{
++ size_t len = strlen (str);
++ ds_resize (s, len);
++ memcpy (s->ds_string + s->ds_idx, str, len);
++ s->ds_idx += len;
++ s->ds_string[s->ds_idx] = 0;
++}
++
+ char *
+ ds_fgets (FILE *f, dynamic_string *s)
+ {
+@@ -102,3 +132,10 @@ ds_fgetname (FILE *f, dynamic_string *s)
+ {
+ return ds_fgetstr (f, s, '\0');
+ }
++
++/* Return true if the dynamic string S ends with character C. */
++int
++ds_endswith (dynamic_string *s, int c)
++{
++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c);
++}
+diff --git a/src/dstring.h b/src/dstring.h
+index 5b49def..a2b6183 100644
+--- a/src/dstring.h
++++ b/src/dstring.h
+@@ -17,10 +17,6 @@
+ Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ Boston, MA 02110-1301 USA. */
+
+-#ifndef NULL
+-#define NULL 0
+-#endif
+-
+ /* A dynamic string consists of record that records the size of an
+ allocated string and the pointer to that string. The actual string
+ is a normal zero byte terminated string that can be used with the
+@@ -30,22 +26,24 @@
+
+ typedef struct
+ {
+- int ds_length; /* Actual amount of storage allocated. */
+- char *ds_string; /* String. */
++ size_t ds_size; /* Actual amount of storage allocated. */
++ size_t ds_idx; /* Index of the next free byte in the string. */
++ char *ds_string; /* String storage. */
+ } dynamic_string;
+
++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL }
+
+-/* Macros that look similar to the original string functions.
+- WARNING: These macros work only on pointers to dynamic string records.
+- If used with a real record, an "&" must be used to get the pointer. */
+-#define ds_strlen(s) strlen ((s)->ds_string)
+-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string)
+-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n)
+-#define ds_index(s, c) index ((s)->ds_string, c)
+-#define ds_rindex(s, c) rindex ((s)->ds_string, c)
++void ds_init (dynamic_string *string);
++void ds_free (dynamic_string *string);
++void ds_reset (dynamic_string *s, size_t len);
+
+-void ds_init (dynamic_string *string, int size);
+-void ds_resize (dynamic_string *string, int size);
++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */
+ char *ds_fgetname (FILE *f, dynamic_string *s);
+ char *ds_fgets (FILE *f, dynamic_string *s);
+ char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
++void ds_append (dynamic_string *s, int c);
++void ds_concat (dynamic_string *s, char const *str);
++
++#define ds_len(s) ((s)->ds_idx)
++
++int ds_endswith (dynamic_string *s, int c);
+diff --git a/src/extern.h b/src/extern.h
+index 47b477a..6330e04 100644
+--- a/src/extern.h
++++ b/src/extern.h
+@@ -111,18 +111,21 @@ void read_in_binary (struct cpio_file_stat *file_hdr,
+ struct old_cpio_header *short_hdr, int in_des);
+ void swab_array (char *arg, int count);
+ void process_copy_in (void);
+-void long_format (struct cpio_file_stat *file_hdr, char *link_name);
+-void print_name_with_quoting (char *p);
++void long_format (struct cpio_file_stat *file_hdr, char const *link_name);
+
+ /* copyout.c */
+ int write_out_header (struct cpio_file_stat *file_hdr, int out_des);
+ void process_copy_out (void);
++int to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase,
++ bool nul);
++void field_width_error (const char *filename, const char *fieldname,
++ uintmax_t value, size_t width, bool nul);
+
+ /* copypass.c */
+ void process_copy_pass (void);
+ int link_to_maj_min_ino (char *file_name, int st_dev_maj,
+ int st_dev_min, ino_t st_ino);
+-int link_to_name (char *link_name, char *link_target);
++int link_to_name (char const *link_name, char const *link_target);
+
+ /* dirname.c */
+ char *dirname (char *path);
+@@ -141,7 +144,7 @@ void process_args (int argc, char *argv[]);
+ void initialize_buffers (void);
+
+ /* makepath.c */
+-int make_path (char *argpath, uid_t owner, gid_t group,
++int make_path (char const *argpath, uid_t owner, gid_t group,
+ const char *verbose_fmt_string);
+
+ /* tar.c */
+@@ -169,7 +172,7 @@ void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *fi
+ void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename);
+ void warn_if_file_changed (char *file_name, off_t old_file_size,
+ time_t old_file_mtime);
+-void create_all_directories (char *name);
++void create_all_directories (char const *name);
+ void prepare_append (int out_file_des);
+ char *find_inode_file (ino_t node_num,
+ unsigned long major_num, unsigned long minor_num);
+@@ -204,10 +207,17 @@ void cpio_safer_name_suffix (char *name, bool link_target,
+ int cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir);
+ void change_dir (void);
+
+-/* FIXME: These two defines should be defined in paxutils */
++/* FIXME: The following three should be defined in paxutils */
+ #define LG_8 3
+ #define LG_16 4
+
++/* The maximum uintmax_t value that can be represented with DIGITS digits,
++ assuming that each digit is BITS_PER_DIGIT wide. */
++#define MAX_VAL_WITH_DIGITS(digits, bits_per_digit) \
++ ((digits) * (bits_per_digit) < sizeof (uintmax_t) * CHAR_BIT \
++ ? ((uintmax_t) 1 << ((digits) * (bits_per_digit))) - 1 \
++ : (uintmax_t) -1)
++
+ uintmax_t from_ascii (char const *where, size_t digs, unsigned logbase);
+
+ #define FROM_OCTAL(f) from_ascii (f, sizeof f, LG_8)
+diff --git a/src/idcache.c b/src/idcache.c
+index c89e7f1..e82414e 100644
+--- a/src/idcache.c
++++ b/src/idcache.c
+@@ -34,6 +34,7 @@
+ #endif
+
+ #include <unistd.h>
++#include <inttostr.h>
+
+ struct userid
+ {
+@@ -59,7 +60,6 @@ getuser (uid_t uid)
+ {
+ register struct userid *tail;
+ struct passwd *pwent;
+- char usernum_string[20];
+
+ for (tail = user_alist; tail; tail = tail->next)
+ if (tail->id.u == uid)
+@@ -70,8 +70,8 @@ getuser (uid_t uid)
+ tail->id.u = uid;
+ if (pwent == 0)
+ {
+- sprintf (usernum_string, "%u", (unsigned) uid);
+- tail->name = xstrdup (usernum_string);
++ char nbuf[UINTMAX_STRSIZE_BOUND];
++ tail->name = xstrdup (umaxtostr (uid, nbuf));
+ }
+ else
+ tail->name = xstrdup (pwent->pw_name);
+@@ -134,7 +134,6 @@ getgroup (gid_t gid)
+ {
+ register struct userid *tail;
+ struct group *grent;
+- char groupnum_string[20];
+
+ for (tail = group_alist; tail; tail = tail->next)
+ if (tail->id.g == gid)
+@@ -145,8 +144,8 @@ getgroup (gid_t gid)
+ tail->id.g = gid;
+ if (grent == 0)
+ {
+- sprintf (groupnum_string, "%u", (unsigned int) gid);
+- tail->name = xstrdup (groupnum_string);
++ char nbuf[UINTMAX_STRSIZE_BOUND];
++ tail->name = xstrdup (umaxtostr (gid, nbuf));
+ }
+ else
+ tail->name = xstrdup (grent->gr_name);
+diff --git a/src/makepath.c b/src/makepath.c
+index 18d5b69..bad2537 100644
+--- a/src/makepath.c
++++ b/src/makepath.c
+@@ -49,7 +49,7 @@
+ ownership and permissions when done, otherwise 1. */
+
+ int
+-make_path (char *argpath,
++make_path (char const *argpath,
+ uid_t owner,
+ gid_t group,
+ const char *verbose_fmt_string)
+diff --git a/src/userspec.c b/src/userspec.c
+index 14d608c..7b8bf2f 100644
+--- a/src/userspec.c
++++ b/src/userspec.c
+@@ -24,6 +24,7 @@
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <sys/types.h>
++#include <inttostr.h>
+
+ #ifndef HAVE_ENDPWENT
+ # define endpwent()
+@@ -141,12 +142,8 @@ parse_user_spec (const char *spec_arg, uid_t *uid, gid_t *gid,
+ grp = getgrgid (pwd->pw_gid);
+ if (grp == NULL)
+ {
+- /* This is enough room to hold the unsigned decimal
+- representation of any 32-bit quantity and the trailing
+- zero byte. */
+- char uint_buf[21];
+- sprintf (uint_buf, "%u", (unsigned) (pwd->pw_gid));
+- V_STRDUP (groupname, uint_buf);
++ char nbuf[UINTMAX_STRSIZE_BOUND];
++ V_STRDUP (groupname, umaxtostr (pwd->pw_gid, nbuf));
+ }
+ else
+ {
+diff --git a/src/util.c b/src/util.c
+index 11f9c30..097304f 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -79,8 +79,7 @@ tape_empty_output_buffer (int out_des)
+
+ if (output_is_special
+ && (bytes_written >= 0
+- || (bytes_written < 0
+- && (errno == ENOSPC || errno == EIO || errno == ENXIO))))
++ || (errno == ENOSPC || errno == EIO || errno == ENXIO)))
+ {
+ get_next_reel (out_des);
+ if (bytes_written > 0)
+@@ -596,7 +595,7 @@ warn_if_file_changed (char *file_name, off_t old_file_size,
+ Do not destroy any nondirectories while creating directories. */
+
+ void
+-create_all_directories (char *name)
++create_all_directories (char const *name)
+ {
+ char *dir;
+ int mode;
+@@ -718,7 +717,6 @@ find_inode_val (ino_t node_num, unsigned long major_num,
+ unsigned long minor_num)
+ {
+ struct inode_val sample;
+- struct inode_val *ival;
+
+ if (!hash_table)
+ return NULL;
+@@ -768,7 +766,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num,
+ return e;
+ }
+
+-static ino_t
++static void
+ get_inode_and_dev (struct cpio_file_stat *hdr, struct stat *st)
+ {
+ if (renumber_inodes_option)
+@@ -859,11 +857,9 @@ get_next_reel (int tape_des)
+ FILE *tty_out; /* File for interacting with user. */
+ int old_tape_des;
+ char *next_archive_name;
+- dynamic_string new_name;
++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER;
+ char *str_res;
+
+- ds_init (&new_name, 128);
+-
+ /* Open files for interactive communication. */
+ tty_in = fopen (TTY_NAME, "r");
+ if (tty_in == NULL)
+@@ -938,7 +934,7 @@ get_next_reel (int tape_des)
+ error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"),
+ old_tape_des, tape_des);
+
+- free (new_name.ds_string);
++ ds_free (&new_name);
+ fclose (tty_in);
+ fclose (tty_out);
+ }
+@@ -1412,8 +1408,28 @@ set_file_times (int fd,
+ utime_error (name);
+ }
+
++/* Reallocate file_hdr->c_name to accomodate len bytes (including final \0) */
++void
++cpio_realloc_c_name (struct cpio_file_stat *file_hdr, size_t len)
++{
++ while (file_hdr->c_name_buflen < len)
++ file_hdr->c_name = x2realloc (file_hdr->c_name, &file_hdr->c_name_buflen);
++}
++
++void
++cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
++{
++ size_t len = strlen (name) + 1;
++
++ cpio_realloc_c_name (file_hdr, len);
++ file_hdr->c_namesize = len;
++ memmove (file_hdr->c_name, name, len);
++}
++
+ /* Do we have to ignore absolute paths, and if so, does the filename
+- have an absolute path? */
++ have an absolute path? Before calling this function make sure that the
++ allocated NAME buffer has capacity at least 2 bytes. */
++
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ bool strip_leading_dots)
+@@ -1428,6 +1444,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ ++p;
+ }
+ if (p != name)
++ /* The 'p' string is shortened version of 'name' with one exception; when
++ the 'name' points to an empty string (buffer where name[0] == '\0') the
++ 'p' then points to static string ".". So caller needs to ensure there
++ are at least two bytes available in 'name' buffer so memmove succeeds. */
+ memmove (name, p, (size_t)(strlen (p) + 1));
+ }
+
+@@ -1689,4 +1709,17 @@ arf_stores_inode_p (enum archive_format arf)
+ }
+ return 1;
+ }
++
++void
++cpio_file_stat_init (struct cpio_file_stat *file_hdr)
++{
++ memset (file_hdr, 0, sizeof (*file_hdr));
++}
++
++void
++cpio_file_stat_free (struct cpio_file_stat *file_hdr)
++{
++ free (file_hdr->c_name);
++ cpio_file_stat_init (file_hdr);
++}
+
+--
+2.31.1
+
diff --git a/SPECS/cpio.spec b/SPECS/cpio.spec
index 4a3b745..ee1404e 100644
--- a/SPECS/cpio.spec
+++ b/SPECS/cpio.spec
@@ -1,7 +1,7 @@
Summary: A GNU archiving program
Name: cpio
Version: 2.12
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv3+
URL: http://www.gnu.org/software/cpio/
Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
@@ -46,6 +46,18 @@ Patch9: cpio-2.11-retain-symlink-times.patch
# https://cement.retrofitta.se/tmp/cpio-tar.patch
Patch10: cpio-2.12-improper-input-validation.patch
+# Fixed integer overflow in ds_fgetstr()
+# upstream patch (#1992511)
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=4d169305dcb34137dc41acc761d8703eae2c63bf
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=86dacfe3e060ce95d5a2c0c5ec01f6437b0b6089
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529
+# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0
+Patch11: cpio-2.13-CVE-2021-38185.patch
+
Provides: bundled(gnulib)
Provides: /bin/cpio
@@ -72,6 +84,7 @@ Install cpio if you need a program to manage file archives.
%build
+autoreconf -fi
export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS"
%configure --with-rmt="%{_sysconfdir}/rmt"
make %{?_smp_mflags}
@@ -106,6 +119,9 @@ make check || {
%{_infodir}/*.info*
%changelog
+* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-11
+- Fixed CVE-2021-38185 (#1992511)
+
* Thu Jan 21 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-10
- Fixed improper input validation when writing tar header fields (#1766223)