Package: zlib
Severity: important
In gzio.c, you can find (lines 134 to 148) a
do { ... } while (*p++ && m != fmode + sizeof(fmode));
if *p (that in fact points to an arg of gz_open) has more than
80chars, it is copied to a buffer named fmode, that is passed as an arg
of fopen. sometimes fmode may not be NULL terminated, and then a file
could be opened with (e.g.) write permissions even if not wanted (if the
next char on the stack is 'w' e.g.)
a fix may be to replace :
line 103 :
- char fmode[80]; /* copy of mode, without the compression level */
+ char fmode[81];
and then, a couple of lines after :
fmode[80] = '\0';
and then change the while condition to :
do { ... } while (*p++ && m != fmode + sizeof(fmode)-1);
a possible patch is attached.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.6
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- gzio.orig.c 2005-07-18 19:00:11.000000000 +0200
+++ gzio.c 2005-07-18 19:01:31.000000000 +0200
@@ -100,8 +100,10 @@
int strategy = Z_DEFAULT_STRATEGY; /* compression strategy */
char *p = (char*)mode;
gz_stream *s;
- char fmode[80]; /* copy of mode, without the compression level */
+ char fmode[81]; /* copy of mode, without the compression level */
char *m = fmode;
+
+ fmode[80] = 0; // allways have at least one terminating NULL
if (!path || !mode) return Z_NULL;
@@ -145,7 +147,7 @@
} else {
*m++ = *p; /* copy the mode */
}
- } while (*p++ && m != fmode + sizeof(fmode));
+ } while (*p++ && m != fmode + sizeof(fmode) - 1);
if (s->mode == '\0') return destroy(s), (gzFile)Z_NULL;
if (s->mode == 'w') {
