Date: Thu, 30 Jul 2009 22:43:07 -0700 From: Xin LI <delphij@delphij.net> To: rea-fbsd@codelabs.ru Cc: rrl <endian.sign@gmail.com>, freebsd-security@freebsd.org, d@delphij.net Subject: Re: gzip memory corruption Message-ID: <4A72846B.60604@delphij.net> In-Reply-To: <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U> References: <20090708193339.GA4836@minerva.freedsl.mg> <qbNi6WaraP%2BYYd65ZtihTj0ewks@BpFm1zkZmHABxHH1eUOcQSRoWTc> <4A553080.5060205@delphij.net> <4A553458.70005@delphij.net> <LxW4OaFbQKVvB5FP5/FFtXkZd3U@%2BE41IXYRRzAjXLJbRTrYDjniL/s> <4A7231A1.2050104@delphij.net> <856ux8zhn21/d1hDLYeNjC7FQ1Y@xg9dzetjpj18poIU9mNsJ0TqP1U>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------070900060800030902060506 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, After talking with Matthew Green (the author of NetBSD) it seems that it would be more reasonable to fix the bug itself than breaking upon receipt. Here is the patch. Regarding to the suffix prompt, give me some time to think about it. At the beginning I just matched GNU gzip's behavior, but they cover when the -S is specified when decompressing, which we don't care about, so it might be reasonable for us to explicitly say it's too long. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkpyhGoACgkQi+vbBBjt66Bk3wCfT0w2DQipG05hksUv9r/CPioo s4IAni8otQHmNOxticY23JqzevzsDeBL =JzTo -----END PGP SIGNATURE----- --------------070900060800030902060506 Content-Type: text/plain; name="gzip.c-S-underflow-revised.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gzip.c-S-underflow-revised.diff" Index: gzip.c =================================================================== --- gzip.c (revision 195945) +++ gzip.c (working copy) @@ -150,6 +150,8 @@ }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ case 'S': len = strlen(optarg); if (len != 0) { + if (len > SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,7 +1240,7 @@ /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, + memcpy(outfile + outsize - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); #ifndef SMALL --------------070900060800030902060506--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A72846B.60604>