From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sun, 10 Jan 2010 17:13:01 +0100 Subject: [PATCH] gzip -d: do not clobber stack for valid input on x86_64 * unlzw.c (unlzw): Avoid integer overflow. Aki Helin reported the segfault along with an input to trigger the bug. * NEWS (Bug fixes): Mention it. --- NEWS | 5 +++++ THANKS | 1 + unlzw.c | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 3e50762..747253f 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,11 @@ GNU gzip NEWS -*- outline -*- ** Bug fixes + gzip -d could segfault and/or clobber the stack, possibly leading to + arbitrary code execution. This affects x86_64 but not 32-bit systems. + This fixes CVE-2010-0001. + For more details, see http://bugzilla.redhat.com/554418 + gzip -d would fail with a CRC error for some valid inputs. So far, the only valid input known to exhibit this failure was compressed "from FAT filesystem (MS-DOS, OS/2, NT)". In addition, diff --git a/THANKS b/THANKS index 4725543..183d39c 100644 --- a/THANKS +++ b/THANKS @@ -97,6 +97,7 @@ Harald Hanche-Olsen hanche@ams.sunysb.edu Darrel R. Hankerson hankedr@mail.auburn.edu Mark Hanning-Lee markhl@romeo.caltech.edu Lars Hecking st000002@hrz1.hrz.th-darmstadt.de +Aki Helin aki.helin@iki.fi Ruediger Helsch ruediger@ramz.ing.tu-bs.de Mark C. Henderson mch@sqwest.wimsey.bc.ca Karl Heuer karl@kelp.boston.ma.us diff --git a/unlzw.c b/unlzw.c index fb9ff76..8f8cbee 100644 --- a/unlzw.c +++ b/unlzw.c @@ -240,7 +240,8 @@ int unlzw(in, out) int o; resetbuf: - e = insize-(o = (posbits>>3)); + o = posbits >> 3; + e = o <= insize ? insize - o : 0; for (i = 0 ; i < e ; ++i) { inbuf[i] = inbuf[i+o]; -- 2.47.2