gzip memory corruption

[Xin LI]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

After talking with Matthew Green (the author of NetBSD) it seems that it
would be more reasonable to fix the bug itself than breaking upon
receipt.  Here is the patch.

Regarding to the suffix prompt, give me some time to think about it.  At
the beginning I just matched GNU gzip's behavior, but they cover when
the -S is specified when decompressing, which we don't care about, so it
might be reasonable for us to explicitly say it's too long.

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkpyhGoACgkQi+vbBBjt66Bk3wCfT0w2DQipG05hksUv9r/CPioo
s4IAni8otQHmNOxticY23JqzevzsDeBL
=JzTo
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: gzip.c
===================================================================
--- gzip.c	(revision 195945)
+++ gzip.c	(working copy)
@@ -150,6 +150,8 @@
 };
 #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])
 
+#define SUFFIX_MAXLEN	30
+
 static	const char	gzip_version[] = "FreeBSD gzip 20090621";
 
 #ifndef SMALL
@@ -372,6 +374,8 @@
 		case 'S':
 			len = strlen(optarg);
 			if (len != 0) {
+				if (len > SUFFIX_MAXLEN)
+					errx(1, "incorrect suffix: '%s'", optarg);
 				suffixes[0].zipped = optarg;
 				suffixes[0].ziplen = len;
 			} else {
@@ -1236,7 +1240,7 @@
 		/* Add (usually) .gz to filename */
 		if ((size_t)snprintf(outfile, outsize, "%s%s",
 					file, suffixes[0].zipped) >= outsize)
-			memcpy(outfile - suffixes[0].ziplen - 1,
+			memcpy(outfile + outsize - suffixes[0].ziplen - 1,
 				suffixes[0].zipped, suffixes[0].ziplen + 1);
 
 #ifndef SMALL