ar: switch from alloca to malloc

If alloca allocates too much stack space, program behavior is undefined,
and basically we segfault.  There is no way to check whether this will
happen ahead of time, so our only choice is to switch to malloc.  If we
try to allocate too much memory from the heap, we'll get a NULL pointer,
and we can diagnose & exit ourselves.  Kind of sucks as alloca was a
perfect fit here, but since the size is coming directly from user input,
we can't trust it is always "reasonable".

Bug: https://bugs.gentoo.org/890579
Signed-off-by: Mike Frysinger <vapier@gentoo.org>

meson.build

@@ -44,7 +44,6 @@ foreach x : [
   'linux/seccomp.h',
   'linux/securebits.h',
   'sys/prctl.h',
-  'alloca.h',
   'elf-hints.h',
   'glob.h',
 ]

paxinc.c

@@ -89,11 +89,13 @@ static uint64_t ar_read_ascii_number(const char *numstr, size_t ndigits, int bas
 archive_member *ar_next(archive_handle *ar)
 {
 	char *s;
+	char *heap_s = NULL;
 	ssize_t len = 0;
 	static archive_member ret;
 
 	if (ar->skip && lseek(ar->fd, ar->skip, SEEK_CUR) == -1) {
 close_and_ret:
+		free(heap_s);
 		free(ar->extfn);
 		close(ar->fd);
 		ar->extfn = NULL;
@@ -146,7 +148,7 @@ archive_member *ar_next(archive_handle *ar)
 			if (read(ar->fd, ret.buf.formatted.name, len) != len)
 				goto close_and_ret;
 		} else {
-			s = alloca(sizeof(char) * len + 1);
+			s = heap_s = xmalloc(sizeof(char) * (len + 1));
 			if (read(ar->fd, s, len) != len)
 				goto close_and_ret;
 			s[len] = '\0';
@@ -167,6 +169,7 @@ archive_member *ar_next(archive_handle *ar)
 	}
 
 	snprintf(ret.name, sizeof(ret.name), "%s:%s", ar->filename, s);
+	free(heap_s);
 	ret.name[sizeof(ret.name) - 1] = '\0';
 	if ((s=strchr(ret.name+strlen(ar->filename), '/')) != NULL)
 		*s = '\0';

porting.h

@@ -40,9 +40,6 @@
 #include <time.h>
 #include <unistd.h>
 #include "elf.h"
-#ifdef HAVE_ALLOCA_H
-# include <alloca.h>
-#endif
 #ifdef HAVE_SYS_PRCTL_H
 # include <sys/prctl.h>
 # ifdef HAVE_LINUX_SECCOMP_H