Synopsis: gzip buffer overrun with long filename NetBSD versions: 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5, 1.5.1, 1.5.2, -current Thanks to: Jun-ichiro itojun Hagino Reported in NetBSD Security Advisory: NetBSD-SA2002-002 Index: gzip.c =================================================================== RCS file: /cvsroot/gnusrc/gnu/usr.bin/gzip/gzip.c,v retrieving revision 1.6 retrieving revision 1.6.6.1 diff -c -p -r1.6 -r1.6.6.1 *** gzip.c 1999/08/20 02:36:28 1.6 --- gzip.c 2002/01/16 10:03:34 1.6.6.1 *************** local int get_istat(iname, sbuf) *** 1005,1011 **** #ifdef NO_MULTIPLE_DOTS char *dot; /* pointer to ifname extension, or NULL */ #endif ! strcpy(ifname, iname); /* If input file exists, return OK. */ --- 1005,1018 ---- #ifdef NO_MULTIPLE_DOTS char *dot; /* pointer to ifname extension, or NULL */ #endif ! int max_suffix_len = (z_len > 3 ? z_len : 3); ! ! /* Leave enough room in ifname or ofname for suffix: */ ! if (strlen(iname) >= sizeof(ifname) - max_suffix_len) { ! strncpy(ifname, iname, sizeof(ifname) - 1); ! /* last byte of ifname is already zero and never overwritten */ ! error("file name too long"); ! } strcpy(ifname, iname); /* If input file exists, return OK. */