Bugtraq mailing list archives
Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow
From: Josh Bressers <bressers () redhat com>
Date: Fri, 5 Nov 2004 16:00:58 -0500
On Fri, Nov 05, 2004 at 02:26:33PM +0100, Martin Pitt wrote:
I prepared a small fix for this (see below). It does not make zip work with long file names, but at least it exits cleanly with giving the reason, and does not segfault.
This fix will allow zip to create an archive with very long filenames. I'm also changing the type of len from a signed int to size_t to prevent trouble in the future. --- zip-2.3/unix/unix.c.orig 2004-11-05 15:44:41.000000000 -0500 +++ zip-2.3/unix/unix.c 2004-11-05 15:50:28.000000000 -0500 @@ -319,8 +319,8 @@ iztimes *t; /* return value: a file size of -1 */ { struct stat s; /* results of stat() */ - char name[FNMAX]; - int len = strlen(f); + char *name; + size_t len = strlen(f); if (f == label) { if (a != NULL) @@ -331,6 +331,11 @@ iztimes *t; /* return value: t->atime = t->mtime = t->ctime = label_utim; return label_time; } + + name = malloc(len+1); + if (!name) + return 0; + strcpy(name, f); if (name[len - 1] == '/') name[len - 1] = '\0'; -- JB
Current thread:
- [HV-MED] Zip/Linux long path buffer overflow vuln (Nov 04)
- Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow Martin Pitt (Nov 05)
- Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow Josh Bressers (Nov 05)
- Re: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow Martin Pitt (Nov 05)