svn commit: r326052 - head/usr.bin/gzip
Xin Li
delphij at FreeBSD.org
Wed Mar 11 21:09:04 UTC 2020
On 3/10/20 18:26, Conrad Meyer wrote:
> Hi Xin Li,
>
> Sorry to reply to an old commit.
>
> On Tue, Nov 21, 2017 at 12:14 AM Xin LI <delphij at freebsd.org> wrote:
>>
>> Author: delphij
>> Date: Tue Nov 21 08:14:30 2017
>> New Revision: 326052
>> URL: https://svnweb.freebsd.org/changeset/base/326052
>>
>> Log:
>> Support SIGINFO.
>> ...
>> --- head/usr.bin/gzip/unpack.c Tue Nov 21 07:35:29 2017 (r326051)
>> +++ head/usr.bin/gzip/unpack.c Tue Nov 21 08:14:30 2017 (r326052)
>> ...
>> @@ -152,6 +155,9 @@ unpack_parse_header(int in, int out, char *pre, size_t
>> ssize_t bytesread; /* Bytes read from the file */
>> int i, j, thisbyte;
>>
>> + if (prelen > sizeof hdr)
>> + maybe_err("prelen too long");
>
> This check should perhaps be >=, rather than >.
>
>> +
>> /* Prepend the header buffer if we already read some data */
>> if (prelen != 0)
>> memcpy(hdr, pre, prelen);
>> @@ -160,6 +166,7 @@ unpack_parse_header(int in, int out, char *pre, size_t
>> bytesread = read(in, hdr + prelen, PACK_HEADER_LENGTH - prelen);
>
> In the case where prelen == sizeof(hdr), we invoke read(, pointer past
> end of hdr, 0) above. This should have no effect, but looks
> unintended, and tickles Coverity (CID 1383554).
Thanks for the analysis. It seems that this is a false positive because
the situation can never happen with the current code (the passed prelen
has to be either 0 or 4).
I've created a changeset at: https://reviews.freebsd.org/D24034 to
address it.
Cheers,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 865 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20200311/c3e71bac/attachment.sig>
More information about the svn-src-all
mailing list