From owner-svn-src-head@FreeBSD.ORG Fri Jul 31 08:37:27 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BE05106566B; Fri, 31 Jul 2009 08:37:27 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 69C818FC16; Fri, 31 Jul 2009 08:37:27 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n6V8bRMR060853; Fri, 31 Jul 2009 08:37:27 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n6V8bREd060851; Fri, 31 Jul 2009 08:37:27 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <200907310837.n6V8bREd060851@svn.freebsd.org> From: Xin LI Date: Fri, 31 Jul 2009 08:37:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r195988 - head/usr.bin/gzip X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 08:37:28 -0000 Author: delphij Date: Fri Jul 31 08:37:27 2009 New Revision: 195988 URL: http://svn.freebsd.org/changeset/base/195988 Log: Correct a stack underflow in gzip: - Limit suffix to be no more than 30 bytes long. This matches GNU behavior. - Correct usage of memcpy(). Note that this commit only corrects the stack underflow issue, we still need some other fixes to cover other edges. [1] Reported by: Ron Jude Discussed with: Matthew Green (original NetBSD gzip author), Eygene Ryabinkin [1] Approved by: re (kib) Modified: head/usr.bin/gzip/gzip.c Modified: head/usr.bin/gzip/gzip.c ============================================================================== --- head/usr.bin/gzip/gzip.c Fri Jul 31 07:53:09 2009 (r195987) +++ head/usr.bin/gzip/gzip.c Fri Jul 31 08:37:27 2009 (r195988) @@ -150,6 +150,8 @@ static suffixes_t suffixes[] = { }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "FreeBSD gzip 20090621"; #ifndef SMALL @@ -372,6 +374,8 @@ main(int argc, char **argv) case 'S': len = strlen(optarg); if (len != 0) { + if (len > SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s': too long", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1236,7 +1240,7 @@ file_compress(char *file, char *outfile, /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, + memcpy(outfile + outsize - suffixes[0].ziplen - 1, suffixes[0].zipped, suffixes[0].ziplen + 1); #ifndef SMALL