From 391d9d98e32504078f9c955a91747ac103357977 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Tue, 4 Aug 2009 13:16:22 -0700 Subject: [PATCH] gzip - Fix stack underflow, exit on path too long * Fix a stack underflow issue (from Xin LI ) * errx if the path is too long for gzip to properly add or remove a suffix, instead of truncating the path. --- usr.bin/gzip/gzip.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) diff --git a/usr.bin/gzip/gzip.c b/usr.bin/gzip/gzip.c index 70c10b4..412deb5 100644 --- a/usr.bin/gzip/gzip.c +++ b/usr.bin/gzip/gzip.c @@ -145,6 +145,8 @@ static suffixes_t suffixes[] = { }; #define NUM_SUFFIXES (sizeof suffixes / sizeof suffixes[0]) +#define SUFFIX_MAXLEN 30 + static const char gzip_version[] = "NetBSD gzip 20060927"; static int cflag; /* stdout mode */ @@ -337,6 +339,8 @@ main(int argc, char **argv) case 'S': len = strlen(optarg); if (len != 0) { + if (len >= SUFFIX_MAXLEN) + errx(1, "incorrect suffix: '%s'", optarg); suffixes[0].zipped = optarg; suffixes[0].ziplen = len; } else { @@ -1204,10 +1208,9 @@ file_compress(char *file, char *outfile, size_t outsize) /* Add (usually) .gz to filename */ if ((size_t)snprintf(outfile, outsize, "%s%s", - file, suffixes[0].zipped) >= outsize) - memcpy(outfile - suffixes[0].ziplen - 1, - suffixes[0].zipped, suffixes[0].ziplen + 1); - + file, suffixes[0].zipped) >= outsize) { + errx(1, "file path too long: %s", file); + } #ifndef SMALL if (check_outfile(outfile) == 0) { close(in); @@ -1297,7 +1300,8 @@ file_uncompress(char *file, char *outfile, size_t outsize) goto lose; } - strlcpy(outfile, file, outsize); + if ((size_t)snprintf(outfile, outsize, "%s", file) >= outsize) + errx(1, "file path too long: %s", file); if (check_suffix(outfile, 1) == NULL && !(cflag || lflag)) { maybe_warnx("%s: unknown suffix -- ignored", file); goto lose; -- 1.7.7.2