Date: Wed, 15 Apr 2015 00:07:22 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r281540 - head/usr.bin/gzip Message-ID: <201504150007.t3F07Mv6090730@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Apr 15 00:07:21 2015 New Revision: 281540 URL: https://svnweb.freebsd.org/changeset/base/281540 Log: When reading in the original file name from gzip header, we read in PATH_MAX + 1 bytes from the file. In r281500, strrchr() is used to strip possible path portion of the file name to mitigate a possible attack. Unfortunately, strrchr() expects a buffer that is NUL-terminated, and since we are processing potentially untrusted data, we can not assert that be always true. Solve this by reading in one less byte (now PATH_MAX) and explicitly terminate the buffer after the read size with NUL. Reported by: Coverity CID: 1264915 X-MFC-with: 281500 MFC after: 13 days Modified: head/usr.bin/gzip/gzip.c Modified: head/usr.bin/gzip/gzip.c ============================================================================== --- head/usr.bin/gzip/gzip.c Tue Apr 14 20:08:37 2015 (r281539) +++ head/usr.bin/gzip/gzip.c Wed Apr 15 00:07:21 2015 (r281540) @@ -1409,14 +1409,17 @@ file_uncompress(char *file, char *outfil timestamp = ts[3] << 24 | ts[2] << 16 | ts[1] << 8 | ts[0]; if (header1[3] & ORIG_NAME) { - rbytes = pread(fd, name, sizeof name, GZIP_ORIGNAME); + rbytes = pread(fd, name, sizeof(name) - 1, GZIP_ORIGNAME); if (rbytes < 0) { maybe_warn("can't read %s", file); goto lose; } - if (name[0] != 0) { + if (name[0] != '\0') { char *dp, *nf; + /* Make sure that name is NUL-terminated */ + name[rbytes] = '\0'; + /* strip saved directory name */ nf = strrchr(name, '/'); if (nf == NULL)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504150007.t3F07Mv6090730>