gzip memory corruption
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Wed Jul 8 20:25:20 UTC 2009
Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
> with the -S option.
> > gzip -S `perl -e 'print "A"x1200'` dummy_file
> Memory fault (core dumped)
>
> The offending code lays in the function file_compress:
> > /* Add (usually) .gz to filename */
> > if ((size_t)snprintf(outfile, outsize, "%s%s",
> > file, suffixes[0].zipped) >= outsize)
> > memcpy(outfile - suffixes[0].ziplen - 1,
> > suffixes[0].zipped, suffixes[0].ziplen + 1);
The memcpy() call looks like a complete madness: it will write before
the beginning of the 'outfile', so it will be buffer underflow in any
case (unless I am terribly mistaken and missing some obvious point).
I'd change the above code to warn and return if snprintf will discard
some trailing characters, the patch is attached.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gzip.c-fix-buffer-underflow.diff
Type: text/x-diff
Size: 609 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090708/9f479154/gzip.c-fix-buffer-underflow.bin
More information about the freebsd-security
mailing list