gzip memory corruption
Xin LI
delphij at delphij.net
Thu Jul 9 04:04:55 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eygene Ryabinkin wrote:
> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
>> with the -S option.
>>> gzip -S `perl -e 'print "A"x1200'` dummy_file
>> Memory fault (core dumped)
>>
>> The offending code lays in the function file_compress:
>>> /* Add (usually) .gz to filename */
>>> if ((size_t)snprintf(outfile, outsize, "%s%s",
>>> file, suffixes[0].zipped) >= outsize)
>>> memcpy(outfile - suffixes[0].ziplen - 1,
>>> suffixes[0].zipped, suffixes[0].ziplen + 1);
>
> The memcpy() call looks like a complete madness: it will write before
> the beginning of the 'outfile', so it will be buffer underflow in any
> case (unless I am terribly mistaken and missing some obvious point).
>
> I'd change the above code to warn and return if snprintf will discard
> some trailing characters, the patch is attached.
Nice catch! I'll take a look at this as soon as possible.
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
iEYEARECAAYFAkpVMIAACgkQi+vbBBjt66BkrgCePlsfN2Y8+yXkJiI39A2tEmRS
CKcAnipqLptYZx2BeuM+7piL0vBF1yzz
=9kvD
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list