svn commit: r281540 - head/usr.bin/gzip
Xin LI
delphij at FreeBSD.org
Wed Apr 15 00:07:22 UTC 2015
Author: delphij
Date: Wed Apr 15 00:07:21 2015
New Revision: 281540
URL: https://svnweb.freebsd.org/changeset/base/281540
Log:
When reading in the original file name from gzip header, we read
in PATH_MAX + 1 bytes from the file. In r281500, strrchr() is
used to strip possible path portion of the file name to mitigate
a possible attack. Unfortunately, strrchr() expects a buffer
that is NUL-terminated, and since we are processing potentially
untrusted data, we can not assert that be always true.
Solve this by reading in one less byte (now PATH_MAX) and
explicitly terminate the buffer after the read size with NUL.
Reported by: Coverity
CID: 1264915
X-MFC-with: 281500
MFC after: 13 days
Modified:
head/usr.bin/gzip/gzip.c
Modified: head/usr.bin/gzip/gzip.c
==============================================================================
--- head/usr.bin/gzip/gzip.c Tue Apr 14 20:08:37 2015 (r281539)
+++ head/usr.bin/gzip/gzip.c Wed Apr 15 00:07:21 2015 (r281540)
@@ -1409,14 +1409,17 @@ file_uncompress(char *file, char *outfil
timestamp = ts[3] << 24 | ts[2] << 16 | ts[1] << 8 | ts[0];
if (header1[3] & ORIG_NAME) {
- rbytes = pread(fd, name, sizeof name, GZIP_ORIGNAME);
+ rbytes = pread(fd, name, sizeof(name) - 1, GZIP_ORIGNAME);
if (rbytes < 0) {
maybe_warn("can't read %s", file);
goto lose;
}
- if (name[0] != 0) {
+ if (name[0] != '\0') {
char *dp, *nf;
+ /* Make sure that name is NUL-terminated */
+ name[rbytes] = '\0';
+
/* strip saved directory name */
nf = strrchr(name, '/');
if (nf == NULL)
More information about the svn-src-all
mailing list