[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow

To: martin.pitt@xxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
From: Josh Bressers <bressers@xxxxxxxxxx>
Date: Fri, 5 Nov 2004 16:00:58 -0500

On Fri, Nov 05, 2004 at 02:26:33PM +0100, Martin Pitt wrote:
> I prepared a small fix for this (see below). It does not make zip work
> with long file names, but at least it exits cleanly with giving the
> reason, and does not segfault.

This fix will allow zip to create an archive with very long filenames.

I'm also changing the type of len from a signed int to size_t to prevent
trouble in the future.

--- zip-2.3/unix/unix.c.orig    2004-11-05 15:44:41.000000000 -0500
+++ zip-2.3/unix/unix.c 2004-11-05 15:50:28.000000000 -0500
@@ -319,8 +319,8 @@ iztimes *t;             /* return value:
    a file size of -1 */
 {
   struct stat s;        /* results of stat() */
-  char name[FNMAX];
-  int len = strlen(f);
+  char *name;
+  size_t len = strlen(f);
 
   if (f == label) {
     if (a != NULL)
@@ -331,6 +331,11 @@ iztimes *t;             /* return value:
       t->atime = t->mtime = t->ctime = label_utim;
     return label_time;
   }
+
+  name = malloc(len+1);
+  if (!name)
+    return 0;
+
   strcpy(name, f);
   if (name[len - 1] == '/')
     name[len - 1] = '\0';

-- 
    JB

References:
- [HV-MED] Zip/Linux long path buffer overflow
  - From: vuln
- Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
  - From: Martin Pitt

Prev by Date: TSLSA-2004-0056 - apache
Next by Date: Making distinctions between similar-looking vulnerabilities
Previous by thread: Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
Next by thread: [CLA-2004:884] Conectiva Security Announcement - gaim
Index(es):
- Date
- Thread