From deb6327793c6d6b65e443ce2e4fd8777b0724130 Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 31 Jul 2009 08:37:27 +0000
Subject: [PATCH] Correct a stack underflow in gzip:

 - Limit suffix to be no more than 30 bytes long.  This matches GNU
   behavior.
 - Correct usage of memcpy().

Note that this commit only corrects the stack underflow issue, we
still need some other fixes to cover other edges. [1]

Reported by:	Ron Jude <ronj wytheville org>
Discussed with:	Matthew Green (original NetBSD gzip author),
		Eygene Ryabinkin <rea-fbsd codelabs ru> [1]
Approved by:	re (kib)
---
 usr.bin/gzip/gzip.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/usr.bin/gzip/gzip.c b/usr.bin/gzip/gzip.c
index 9d4548e596de..e9371d2c47ca 100644
--- a/usr.bin/gzip/gzip.c
+++ b/usr.bin/gzip/gzip.c
@@ -150,6 +150,8 @@ static suffixes_t suffixes[] = {
 };
 #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])
 
+#define SUFFIX_MAXLEN	30
+
 static	const char	gzip_version[] = "FreeBSD gzip 20090621";
 
 #ifndef SMALL
@@ -372,6 +374,8 @@ main(int argc, char **argv)
 		case 'S':
 			len = strlen(optarg);
 			if (len != 0) {
+				if (len > SUFFIX_MAXLEN)
+					errx(1, "incorrect suffix: '%s': too long", optarg);
 				suffixes[0].zipped = optarg;
 				suffixes[0].ziplen = len;
 			} else {
@@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile, size_t outsize)
 		/* Add (usually) .gz to filename */
 		if ((size_t)snprintf(outfile, outsize, "%s%s",
 					file, suffixes[0].zipped) >= outsize)
-			memcpy(outfile - suffixes[0].ziplen - 1,
+			memcpy(outfile + outsize - suffixes[0].ziplen - 1,
 				suffixes[0].zipped, suffixes[0].ziplen + 1);
 
 #ifndef SMALL