Correct a stack underflow in gzip:

- Limit suffix to be no more than 30 bytes long. This matches GNU behavior. - Correct usage of memcpy(). Note that this commit only corrects the stack underflow issue, we still need some other fixes to cover other edges. [1] Reported by: Ron Jude <ronj wytheville org> Discussed with: Matthew Green (original NetBSD gzip author), Eygene Ryabinkin <rea-fbsd codelabs ru> [1] Approved by: re (kib)
2009-07-31 08:37:27 +00:00 · 2009-07-31 08:37:27 +00:00 · 1eac2402ef
commit 1eac2402ef
parent f92b9dfb98
1 changed files with 5 additions and 1 deletions
--- a/usr.bin/gzip/gzip.c
+++ b/usr.bin/gzip/gzip.c
@ -150,6 +150,8 @@ static suffixes_t suffixes[] = {
 };
 #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0])

+#define SUFFIX_MAXLEN	30
+
 static	const char	gzip_version[] = "FreeBSD gzip 20090621";

 #ifndef SMALL
@ -372,6 +374,8 @@ main(int argc, char **argv)
 		case 'S':
 			len = strlen(optarg);
 			if (len != 0) {
+				if (len > SUFFIX_MAXLEN)
+					errx(1, "incorrect suffix: '%s': too long", optarg);
 				suffixes[0].zipped = optarg;
 				suffixes[0].ziplen = len;
 			} else {
@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile, size_t outsize)
 		/* Add (usually) .gz to filename */
 		if ((size_t)snprintf(outfile, outsize, "%s%s",
 					file, suffixes[0].zipped) >= outsize)
-			memcpy(outfile - suffixes[0].ziplen - 1,
+			memcpy(outfile + outsize - suffixes[0].ziplen - 1,
 				suffixes[0].zipped, suffixes[0].ziplen + 1);

 #ifndef SMALL