Hi, while skipping some header sections of a *.gz file, gzsig uses the function getc without taking a possible EOF return value into account.
On error, the tool should obviously stop with an error message, therefore leaving sign() or verify() with -1. Tobias Index: sign.c =================================================================== RCS file: /cvs/src/usr.bin/gzsig/sign.c,v retrieving revision 1.9 diff -u -p -r1.9 sign.c --- sign.c 12 Oct 2007 19:52:06 -0000 1.9 +++ sign.c 9 Mar 2013 22:41:53 -0000 @@ -114,12 +114,12 @@ embed_signature(struct key *key, FILE *f offset = ftell(fin); if (gh.flags & GZIP_FNAME) { - while (getc(fin) != '\0') - ; + if (skip_string(fin)) + return (-1); } if (gh.flags & GZIP_FCOMMENT) { - while (getc(fin) != '\0') - ; + if (skip_string(fin)) + return (-1); } if (gh.flags & GZIP_FENCRYPT) { if (fread(buf, 1, GZIP_FENCRYPT_LEN, fin) != GZIP_FENCRYPT_LEN) Index: util.c =================================================================== RCS file: /cvs/src/usr.bin/gzsig/util.c,v retrieving revision 1.2 diff -u -p -r1.2 util.c --- util.c 28 May 2005 08:07:45 -0000 1.2 +++ util.c 9 Mar 2013 22:41:53 -0000 @@ -62,6 +62,17 @@ copy_permissions(char *srcfile, char *ds return (0); } +int +skip_string(FILE *fin) +{ + int c; + + while ((c = getc(fin)) != '\0') + if (c == EOF) + return (-1); + return (0); +} + void fatal(int status, const char *fmt, ...) { Index: util.h =================================================================== RCS file: /cvs/src/usr.bin/gzsig/util.h,v retrieving revision 1.2 diff -u -p -r1.2 util.h --- util.h 28 May 2005 08:07:45 -0000 1.2 +++ util.h 9 Mar 2013 22:41:53 -0000 @@ -34,6 +34,7 @@ #ifndef UTIL_H int copy_permissions(char *srcfile, char *dstfile); +int skip_string(FILE *fin); void fatal(int status, const char *fmt, ...); #endif /* UTIL_H */ Index: verify.c =================================================================== RCS file: /cvs/src/usr.bin/gzsig/verify.c,v retrieving revision 1.7 diff -u -p -r1.7 verify.c --- verify.c 12 Oct 2007 19:52:06 -0000 1.7 +++ verify.c 9 Mar 2013 22:41:53 -0000 @@ -105,12 +105,12 @@ verify_signature(struct key *key, FILE * } /* Skip over any options. */ if (gh.flags & GZIP_FNAME) { - while (getc(fin) != '\0') - ; + if (skip_string(fin)) + return (-1); } if (gh.flags & GZIP_FCOMMENT) { - while (getc(fin) != '\0') - ; + if (skip_string(fin)) + return (-1); } if (gh.flags & GZIP_FENCRYPT && fread(buf, 1, GZIP_FENCRYPT_LEN, fin) != GZIP_FENCRYPT_LEN)