gzip memory corruption
Xin LI
delphij at delphij.net
Thu Jul 9 04:04:56 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Xin LI wrote:
> Eygene Ryabinkin wrote:
>> Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
>>> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
>>> with the -S option.
>>>> gzip -S `perl -e 'print "A"x1200'` dummy_file
>>> Memory fault (core dumped)
>>>
>>> The offending code lays in the function file_compress:
>>>> /* Add (usually) .gz to filename */
>>>> if ((size_t)snprintf(outfile, outsize, "%s%s",
>>>> file, suffixes[0].zipped) >= outsize)
>>>> memcpy(outfile - suffixes[0].ziplen - 1,
>>>> suffixes[0].zipped, suffixes[0].ziplen + 1);
>> The memcpy() call looks like a complete madness: it will write before
>> the beginning of the 'outfile', so it will be buffer underflow in any
>> case (unless I am terribly mistaken and missing some obvious point).
>
>> I'd change the above code to warn and return if snprintf will discard
>> some trailing characters, the patch is attached.
I have attached another possible fix, which catches the problem when
parsing the command line. The point is that, I think we really want to
catch bad input as early as possible.
If there is no objections I would request for approval from re at .
Cheers,
- --
Xin LI <delphij at delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)
iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7
V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok=
=OtC/
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: gzip.c
===================================================================
--- gzip.c (çæ¬ 195435)
+++ gzip.c (å·¥ä½å¯æ¬)
@@ -372,6 +372,8 @@
case 'S':
len = strlen(optarg);
if (len != 0) {
+ if (len >= PATH_MAX)
+ errx(1, "incorrect suffix: '%s'", optarg);
suffixes[0].zipped = optarg;
suffixes[0].ziplen = len;
} else {
More information about the freebsd-security
mailing list