d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

When reading in the original file name from gzip header, we read

Browse Source 
in PATH_MAX + 1 bytes from the file.  In r281500, strrchr() is
used to strip possible path portion of the file name to mitigate
a possible attack.  Unfortunately, strrchr() expects a buffer
that is NUL-terminated, and since we are processing potentially
untrusted data, we can not assert that be always true.

Solve this by reading in one less byte (now PATH_MAX) and
explicitly terminate the buffer after the read size with NUL.

Reported by:	Coverity
CID:		1264915
X-MFC-with:	281500
MFC after:	13 days
This commit is contained in:
delphij 2015-04-15 00:07:21 +00:00
parent 7b318600dd
commit e54d940929
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
usr.bin/gzip/gzip.c
View File

@ -1409,14 +1409,17 @@ file_uncompress(char *file, char *outfile, size_t outsize)
timestamp = ts[3] << 24 | ts[2] << 16 | ts[1] << 8 | ts[0];
if (header1[3] & ORIG_NAME) {
rbytes = pread(fd, name, sizeof name, GZIP_ORIGNAME);
rbytes = pread(fd, name, sizeof(name) - 1, GZIP_ORIGNAME);
if (rbytes < 0) {
maybe_warn("can't read %s", file);
goto lose;
}
if (name[0] != 0) {
if (name[0] != '\0') {
char *dp, *nf;
/* Make sure that name is NUL-terminated */
name[rbytes] = '\0';
/* strip saved directory name */
nf = strrchr(name, '/');
if (nf == NULL)