From c1c4677aec5c7d1a82aed8bbf23636e8fdc7a823 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Wed, 15 Apr 2015 00:07:21 +0000 Subject: [PATCH] When reading in the original file name from gzip header, we read in PATH_MAX + 1 bytes from the file. In r281500, strrchr() is used to strip possible path portion of the file name to mitigate a possible attack. Unfortunately, strrchr() expects a buffer that is NUL-terminated, and since we are processing potentially untrusted data, we can not assert that be always true. Solve this by reading in one less byte (now PATH_MAX) and explicitly terminate the buffer after the read size with NUL. Reported by: Coverity CID: 1264915 X-MFC-with: 281500 MFC after: 13 days --- usr.bin/gzip/gzip.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr.bin/gzip/gzip.c b/usr.bin/gzip/gzip.c index 7364409c5d44..93ad3fcdf91a 100644 --- a/usr.bin/gzip/gzip.c +++ b/usr.bin/gzip/gzip.c @@ -1409,14 +1409,17 @@ file_uncompress(char *file, char *outfile, size_t outsize) timestamp = ts[3] << 24 | ts[2] << 16 | ts[1] << 8 | ts[0]; if (header1[3] & ORIG_NAME) { - rbytes = pread(fd, name, sizeof name, GZIP_ORIGNAME); + rbytes = pread(fd, name, sizeof(name) - 1, GZIP_ORIGNAME); if (rbytes < 0) { maybe_warn("can't read %s", file); goto lose; } - if (name[0] != 0) { + if (name[0] != '\0') { char *dp, *nf; + /* Make sure that name is NUL-terminated */ + name[rbytes] = '\0'; + /* strip saved directory name */ nf = strrchr(name, '/'); if (nf == NULL)