Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow

From: Josh Bressers (bressers_at_redhat.com)
Date: 11/05/04

  • Next message: Luigi Auriemma: "In-game format string bug in the Lithtech engine"
    Date: Fri, 5 Nov 2004 16:00:58 -0500
    To: martin.pitt@canonical.com
    
    

    On Fri, Nov 05, 2004 at 02:26:33PM +0100, Martin Pitt wrote:
    > I prepared a small fix for this (see below). It does not make zip work
    > with long file names, but at least it exits cleanly with giving the
    > reason, and does not segfault.

    This fix will allow zip to create an archive with very long filenames.

    I'm also changing the type of len from a signed int to size_t to prevent
    trouble in the future.

    --- zip-2.3/unix/unix.c.orig 2004-11-05 15:44:41.000000000 -0500
    +++ zip-2.3/unix/unix.c 2004-11-05 15:50:28.000000000 -0500
    @@ -319,8 +319,8 @@ iztimes *t; /* return value:
        a file size of -1 */
     {
       struct stat s; /* results of stat() */
    - char name[FNMAX];
    - int len = strlen(f);
    + char *name;
    + size_t len = strlen(f);
     
       if (f == label) {
         if (a != NULL)
    @@ -331,6 +331,11 @@ iztimes *t; /* return value:
           t->atime = t->mtime = t->ctime = label_utim;
         return label_time;
       }
    +
    + name = malloc(len+1);
    + if (!name)
    + return 0;
    +
       strcpy(name, f);
       if (name[len - 1] == '/')
         name[len - 1] = '\0';

    -- 
        JB
    

  • Next message: Luigi Auriemma: "In-game format string bug in the Lithtech engine"