diff options
author | delphij <delphij@FreeBSD.org> | 2009-07-31 08:37:27 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2009-07-31 08:37:27 +0000 |
commit | 1eac2402ef00de3a96ce1d9d21792a8d8bff046d (patch) | |
tree | 58ed28ec8c65eb9914930897723362252c48f61a /usr.bin/gzip/gzip.c | |
parent | f92b9dfb9805296197e783a5ec72f1734954fe5f (diff) | |
download | FreeBSD-src-1eac2402ef00de3a96ce1d9d21792a8d8bff046d.zip FreeBSD-src-1eac2402ef00de3a96ce1d9d21792a8d8bff046d.tar.gz |
Correct a stack underflow in gzip:
- Limit suffix to be no more than 30 bytes long. This matches GNU
behavior.
- Correct usage of memcpy().
Note that this commit only corrects the stack underflow issue, we
still need some other fixes to cover other edges. [1]
Reported by: Ron Jude <ronj wytheville org>
Discussed with: Matthew Green (original NetBSD gzip author),
Eygene Ryabinkin <rea-fbsd codelabs ru> [1]
Approved by: re (kib)
Diffstat (limited to 'usr.bin/gzip/gzip.c')
-rw-r--r-- | usr.bin/gzip/gzip.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.bin/gzip/gzip.c b/usr.bin/gzip/gzip.c index 9d4548e..e9371d2 100644 --- a/usr.bin/gzip/gzip.c +++ b/usr.bin/gzip/gzip.c @@ -150,6 +150,8 @@ static suffixes_t suffixes[] = { }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ main(int argc, char **argv) case 'S': len = strlen(optarg); if (len != 0) { + if (len > SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s': too long", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile, size_t outsize) /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, + memcpy(outfile + outsize - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); #ifndef SMALL |