Date: Fri, 31 Jul 2009 08:37:27 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r195988 - head/usr.bin/gzip Message-ID: <200907310837.n6V8bREd060851@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Fri Jul 31 08:37:27 2009 New Revision: 195988 URL: http://svn.freebsd.org/changeset/base/195988 Log: Correct a stack underflow in gzip: - Limit suffix to be no more than 30 bytes long. This matches GNU behavior. - Correct usage of memcpy(). Note that this commit only corrects the stack underflow issue, we still need some other fixes to cover other edges. [1] Reported by: Ron Jude <ronj wytheville org> Discussed with: Matthew Green (original NetBSD gzip author), Eygene Ryabinkin <rea-fbsd codelabs ru> [1] Approved by: re (kib) Modified: head/usr.bin/gzip/gzip.c Modified: head/usr.bin/gzip/gzip.c ============================================================================== --- head/usr.bin/gzip/gzip.c Fri Jul 31 07:53:09 2009 (r195987) +++ head/usr.bin/gzip/gzip.c Fri Jul 31 08:37:27 2009 (r195988) @@ -150,6 +150,8 @@ static suffixes_t suffixes[] = { }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ main(int argc, char **argv) case 'S': len = strlen(optarg); if (len != 0) { + if (len > SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s': too long", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile, /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, + memcpy(outfile + outsize - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); #ifndef SMALL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907310837.n6V8bREd060851>