gzip memory corruption

[Xin LI]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Xin LI wrote:
> Eygene Ryabinkin wrote:
>> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
>>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
>>> with the -S option.
>>>> gzip -S `perl -e 'print "A"x1200'` dummy_file
>>> Memory fault (core dumped)
>>>
>>> The offending code lays in the function file_compress:
>>>> 		/* Add (usually) .gz to filename */
>>>> 		if ((size_t)snprintf(outfile, outsize, "%s%s",
>>>> 					file, suffixes[0].zipped) >= outsize)
>>>> 			memcpy(outfile - suffixes[0].ziplen - 1,
>>>> 				suffixes[0].zipped, suffixes[0].ziplen + 1);
>> The memcpy() call looks like a complete madness: it will write before
>> the beginning of the 'outfile', so it will be buffer underflow in any
>> case (unless I am terribly mistaken and missing some obvious point).
> 
>> I'd change the above code to warn and return if snprintf will discard
>> some trailing characters, the patch is attached.

I have attached another possible fix, which catches the problem when
parsing the command line.  The point is that, I think we really want to
catch bad input as early as possible.

If there is no objections I would request for approval from re at .

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7
V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok=
=OtC/
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: gzip.c
===================================================================
--- gzip.c	(版本 195435)
+++ gzip.c	(工作副本)
@@ -372,6 +372,8 @@
 		case 'S':
 			len = strlen(optarg);
 			if (len != 0) {
+				if (len >= PATH_MAX)
+					errx(1, "incorrect suffix: '%s'", optarg);
 				suffixes[0].zipped = optarg;
 				suffixes[0].ziplen = len;
 			} else {