From owner-svn-src-all@FreeBSD.ORG Wed Apr 15 00:07:22 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A23D1BBA; Wed, 15 Apr 2015 00:07:22 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D602848; Wed, 15 Apr 2015 00:07:22 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t3F07Mbs090731; Wed, 15 Apr 2015 00:07:22 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t3F07Mv6090730; Wed, 15 Apr 2015 00:07:22 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201504150007.t3F07Mv6090730@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 15 Apr 2015 00:07:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r281540 - head/usr.bin/gzip X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2015 00:07:22 -0000 Author: delphij Date: Wed Apr 15 00:07:21 2015 New Revision: 281540 URL: https://svnweb.freebsd.org/changeset/base/281540 Log: When reading in the original file name from gzip header, we read in PATH_MAX + 1 bytes from the file. In r281500, strrchr() is used to strip possible path portion of the file name to mitigate a possible attack. Unfortunately, strrchr() expects a buffer that is NUL-terminated, and since we are processing potentially untrusted data, we can not assert that be always true. Solve this by reading in one less byte (now PATH_MAX) and explicitly terminate the buffer after the read size with NUL. Reported by: Coverity CID: 1264915 X-MFC-with: 281500 MFC after: 13 days Modified: head/usr.bin/gzip/gzip.c Modified: head/usr.bin/gzip/gzip.c ============================================================================== --- head/usr.bin/gzip/gzip.c Tue Apr 14 20:08:37 2015 (r281539) +++ head/usr.bin/gzip/gzip.c Wed Apr 15 00:07:21 2015 (r281540) @@ -1409,14 +1409,17 @@ file_uncompress(char *file, char *outfil timestamp = ts[3] << 24 | ts[2] << 16 | ts[1] << 8 | ts[0]; if (header1[3] & ORIG_NAME) { - rbytes = pread(fd, name, sizeof name, GZIP_ORIGNAME); + rbytes = pread(fd, name, sizeof(name) - 1, GZIP_ORIGNAME); if (rbytes < 0) { maybe_warn("can't read %s", file); goto lose; } - if (name[0] != 0) { + if (name[0] != '\0') { char *dp, *nf; + /* Make sure that name is NUL-terminated */ + name[rbytes] = '\0'; + /* strip saved directory name */ nf = strrchr(name, '/'); if (nf == NULL)