Re: gzip memory corruption



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

After talking with Matthew Green (the author of NetBSD) it seems that it
would be more reasonable to fix the bug itself than breaking upon
receipt. Here is the patch.

Regarding to the suffix prompt, give me some time to think about it. At
the beginning I just matched GNU gzip's behavior, but they cover when
the -S is specified when decompressing, which we don't care about, so it
might be reasonable for us to explicitly say it's too long.

Cheers,
- --
Xin LI <delphij@xxxxxxxxxxx> http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkpyhGoACgkQi+vbBBjt66Bk3wCfT0w2DQipG05hksUv9r/CPioo
s4IAni8otQHmNOxticY23JqzevzsDeBL
=JzTo
-----END PGP SIGNATURE-----
Index: gzip.c
===================================================================
--- gzip.c (revision 195945)
+++ gzip.c (working copy)
@@ -150,6 +150,8 @@
};
#define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])

+#define SUFFIX_MAXLEN 30
+
static const char gzip_version[] = "FreeBSD gzip 20090621";

#ifndef SMALL
@@ -372,6 +374,8 @@
case 'S':
len = strlen(optarg);
if (len != 0) {
+ if (len > SUFFIX_MAXLEN)
+ errx(1, "incorrect suffix: '%s'", optarg);
suffixes[0].zipped = optarg;
suffixes[0].ziplen = len;
} else {
@@ -1236,7 +1240,7 @@
/* Add (usually) .gz to filename */
if ((size_t)snprintf(outfile, outsize, "%s%s",
file, suffixes[0].zipped) >= outsize)
- memcpy(outfile - suffixes[0].ziplen - 1,
+ memcpy(outfile + outsize - suffixes[0].ziplen - 1,
suffixes[0].zipped, suffixes[0].ziplen + 1);

#ifndef SMALL
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"