Author: delphij
Date: Fri Jul 31 08:37:27 2009
New Revision: 195988
URL: http://svn.freebsd.org/changeset/base/195988
Log:
Correct a stack underflow in gzip:
- Limit suffix to be no more than 30 bytes long. This matches GNU
behavior.
- Correct usage of memcpy().
Note that this commit only corrects the stack underflow issue, we
still need some other fixes to cover other edges. [1]
Reported by: Ron Jude <ronj wytheville org>
Discussed with: Matthew Green (original NetBSD gzip author),
Eygene Ryabinkin <rea-fbsd codelabs ru> [1]
Approved by: re (kib)
Modified:
head/usr.bin/gzip/gzip.c
Modified: head/usr.bin/gzip/gzip.c
==============================================================================
--- head/usr.bin/gzip/gzip.c Fri Jul 31 07:53:09 2009 (r195987)
+++ head/usr.bin/gzip/gzip.c Fri Jul 31 08:37:27 2009 (r195988)
@@ -150,6 +150,8 @@ static suffixes_t suffixes[] = {
};
#define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])
+#define SUFFIX_MAXLEN 30
+
static const char gzip_version[] = "FreeBSD gzip 20090621";
#ifndef SMALL
@@ -372,6 +374,8 @@ main(int argc, char **argv)
case 'S':
len = strlen(optarg);
if (len != 0) {
+ if (len > SUFFIX_MAXLEN)
+ errx(1, "incorrect suffix: '%s': too
long", optarg);
suffixes[0].zipped = optarg;
suffixes[0].ziplen = len;
} else {
@@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile,
/* Add (usually) .gz to filename */
if ((size_t)snprintf(outfile, outsize, "%s%s",
file, suffixes[0].zipped) >= outsize)
- memcpy(outfile - suffixes[0].ziplen - 1,
+ memcpy(outfile + outsize - suffixes[0].ziplen - 1,
suffixes[0].zipped, suffixes[0].ziplen + 1);
#ifndef SMALL
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
