Re: gzip memory corruption

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Xin LI wrote:
Eygene Ryabinkin wrote:
Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote:
I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name
with the -S option.
gzip -S `perl -e 'print "A"x1200'` dummy_file
Memory fault (core dumped)

The offending code lays in the function file_compress:
/* Add (usually) .gz to filename */
if ((size_t)snprintf(outfile, outsize, "%s%s",
file, suffixes[0].zipped) >= outsize)
memcpy(outfile - suffixes[0].ziplen - 1,
suffixes[0].zipped, suffixes[0].ziplen + 1);
The memcpy() call looks like a complete madness: it will write before
the beginning of the 'outfile', so it will be buffer underflow in any
case (unless I am terribly mistaken and missing some obvious point).

I'd change the above code to warn and return if snprintf will discard
some trailing characters, the patch is attached.

I have attached another possible fix, which catches the problem when
parsing the command line. The point is that, I think we really want to
catch bad input as early as possible.

If there is no objections I would request for approval from re@.

Cheers,
- --
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEUEARECAAYFAkpVNFcACgkQi+vbBBjt66AkuQCfSm79QmZC2jPwE8kSEaz5NvH7
V+8Al0zsIfe40Tv0Yu/LrtMpnEK5cok=
=OtC/
-----END PGP SIGNATURE-----
Index: gzip.c
===================================================================
--- gzip.c (ç??æ?¬ 195435)
+++ gzip.c (工���)
@@ -372,6 +372,8 @@
case 'S':
len = strlen(optarg);
if (len != 0) {
+ if (len >= PATH_MAX)
+ errx(1, "incorrect suffix: '%s'", optarg);
suffixes[0].zipped = optarg;
suffixes[0].ziplen = len;
} else {
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: gzip memory corruption
    ... Memory fault ... The offending code lays in the function file_compress: ... if snprintf(outfile, outsize, "%s%s", ... The memcpy() call looks like a complete madness: ...
    (FreeBSD-Security)
  • Re: gzip memory corruption
    ... The offending code lays in the function file_compress: ... if snprintf(outfile, outsize, "%s%s", ... The memcpy() call looks like a complete madness: ... FreeBSD - The Power to Serve! ...
    (FreeBSD-Security)