Re: gzip memory corruption



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eygene Ryabinkin wrote:
Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
with the -S option.
gzip -S `perl -e 'print "A"x1200'` dummy_file
Memory fault (core dumped)

The offending code lays in the function file_compress:
/* Add (usually) .gz to filename */
if ((size_t)snprintf(outfile, outsize, "%s%s",
file, suffixes[0].zipped) >= outsize)
memcpy(outfile - suffixes[0].ziplen - 1,
suffixes[0].zipped, suffixes[0].ziplen + 1);

The memcpy() call looks like a complete madness: it will write before
the beginning of the 'outfile', so it will be buffer underflow in any
case (unless I am terribly mistaken and missing some obvious point).

I'd change the above code to warn and return if snprintf will discard
some trailing characters, the patch is attached.

Nice catch! I'll take a look at this as soon as possible.

Cheers,
- --
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkpVMIAACgkQi+vbBBjt66BkrgCePlsfN2Y8+yXkJiI39A2tEmRS
CKcAnipqLptYZx2BeuM+7piL0vBF1yzz
=9kvD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: gzip memory corruption
    ... Memory fault ... The offending code lays in the function file_compress: ... if snprintf(outfile, outsize, "%s%s", ... FreeBSD - The Power to Serve! ...
    (FreeBSD-Security)
  • Re: gzip memory corruption
    ... Memory fault ... The offending code lays in the function file_compress: ... if snprintf(outfile, outsize, "%s%s", ... The memcpy() call looks like a complete madness: ...
    (FreeBSD-Security)