Date: Wed, 08 Jul 2009 16:49:20 -0700 From: Xin LI <delphij@delphij.net> To: rea-fbsd@codelabs.ru Cc: rrl <endian.sign@gmail.com>, freebsd-security@freebsd.org Subject: Re: gzip memory corruption Message-ID: <4A553080.5060205@delphij.net> In-Reply-To: <qbNi6WaraP%2BYYd65ZtihTj0ewks@BpFm1zkZmHABxHH1eUOcQSRoWTc> References: <20090708193339.GA4836@minerva.freedsl.mg> <qbNi6WaraP%2BYYd65ZtihTj0ewks@BpFm1zkZmHABxHH1eUOcQSRoWTc>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eygene Ryabinkin wrote: > Wed, Jul 08, 2009 at 10:33:39PM +0300, rrl wrote: >> I run Freebsd 7.2 and gzip doesn't handle correctly long suffix name >> with the -S option. >>> gzip -S `perl -e 'print "A"x1200'` dummy_file >> Memory fault (core dumped) >> >> The offending code lays in the function file_compress: >>> /* Add (usually) .gz to filename */ >>> if ((size_t)snprintf(outfile, outsize, "%s%s", >>> file, suffixes[0].zipped) >= outsize) >>> memcpy(outfile - suffixes[0].ziplen - 1, >>> suffixes[0].zipped, suffixes[0].ziplen + 1); > > The memcpy() call looks like a complete madness: it will write before > the beginning of the 'outfile', so it will be buffer underflow in any > case (unless I am terribly mistaken and missing some obvious point). > > I'd change the above code to warn and return if snprintf will discard > some trailing characters, the patch is attached. Nice catch! I'll take a look at this as soon as possible. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpVMIAACgkQi+vbBBjt66BkrgCePlsfN2Y8+yXkJiI39A2tEmRS CKcAnipqLptYZx2BeuM+7piL0vBF1yzz =9kvD -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A553080.5060205>