From: Matthew Dillon Date: Tue, 4 Aug 2009 20:16:22 +0000 (-0700) Subject: gzip - Fix stack underflow, exit on path too long X-Git-Tag: v2.4.0~362 X-Git-Url: http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/391d9d98e32504078f9c955a91747ac103357977 gzip - Fix stack underflow, exit on path too long * Fix a stack underflow issue (from Xin LI ) * errx if the path is too long for gzip to properly add or remove a suffix, instead of truncating the path. --- diff --git a/usr.bin/gzip/gzip.c b/usr.bin/gzip/gzip.c index 70c10b4..412deb5 100644 --- a/usr.bin/gzip/gzip.c +++ b/usr.bin/gzip/gzip.c @@ -145,6 +145,8 @@ static suffixes_t suffixes[] = { }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "NetBSD gzip 20060927"; static int cflag; /* stdout mode */ @@ -337,6 +339,8 @@ main(int argc, char **argv) case 'S': len = strlen(optarg); if (len != 0) { + if (len >= SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1204,10 +1208,9 @@ file_compress(char *file, char *outfile, size_t outsize) /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, - suffixes[0].zipped, suffixes[0].ziplen + 1); - + file, suffixes[0].zipped) >= outsize) { + errx(1, "file path too long: %s", file); + } #ifndef SMALL if (check_outfile(outfile) == 0) { close(in); @@ -1297,7 +1300,8 @@ file_uncompress(char *file, char *outfile, size_t outsize) goto lose; } - strlcpy(outfile, file, outsize); + if ((size_t)snprintf(outfile, outsize, "%s", file) >= outsize) + errx(1, "file path too long: %s", file); if (check_suffix(outfile, 1) == NULL && !(cflag || lflag)) { maybe_warnx("%s: unknown suffix -- ignored", file); goto lose;