On 3/10/20 18:26, Conrad Meyer wrote: > Hi Xin Li, > > Sorry to reply to an old commit. > > On Tue, Nov 21, 2017 at 12:14 AM Xin LI <delp...@freebsd.org> wrote: >> >> Author: delphij >> Date: Tue Nov 21 08:14:30 2017 >> New Revision: 326052 >> URL: https://svnweb.freebsd.org/changeset/base/326052 >> >> Log: >> Support SIGINFO. >> ... >> --- head/usr.bin/gzip/unpack.c Tue Nov 21 07:35:29 2017 (r326051) >> +++ head/usr.bin/gzip/unpack.c Tue Nov 21 08:14:30 2017 (r326052) >> ... >> @@ -152,6 +155,9 @@ unpack_parse_header(int in, int out, char *pre, size_t >> ssize_t bytesread; /* Bytes read from the file */ >> int i, j, thisbyte; >> >> + if (prelen > sizeof hdr) >> + maybe_err("prelen too long"); > > This check should perhaps be >=, rather than >. > >> + >> /* Prepend the header buffer if we already read some data */ >> if (prelen != 0) >> memcpy(hdr, pre, prelen); >> @@ -160,6 +166,7 @@ unpack_parse_header(int in, int out, char *pre, size_t >> bytesread = read(in, hdr + prelen, PACK_HEADER_LENGTH - prelen); > > In the case where prelen == sizeof(hdr), we invoke read(, pointer past > end of hdr, 0) above. This should have no effect, but looks > unintended, and tickles Coverity (CID 1383554).
Thanks for the analysis. It seems that this is a false positive because the situation can never happen with the current code (the passed prelen has to be either 0 or 4). I've created a changeset at: https://reviews.freebsd.org/D24034 to address it. Cheers,
signature.asc
Description: OpenPGP digital signature