From pj@skalman.campus.luth.se  Sun Mar  2 09:16:25 2003
Return-Path: <pj@skalman.campus.luth.se>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5D6B37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  2 Mar 2003 09:16:25 -0800 (PST)
Received: from skalman.campus.luth.se (skalman.campus.luth.se [130.240.197.52])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 837E543FB1
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  2 Mar 2003 09:16:24 -0800 (PST)
	(envelope-from pj@skalman.campus.luth.se)
Received: from skalman.campus.luth.se (localhost [127.0.0.1])
	by skalman.campus.luth.se (8.12.7/8.12.7) with ESMTP id h22HGMss010662
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 2 Mar 2003 18:16:22 +0100 (CET)
	(envelope-from pj@skalman.campus.luth.se)
Received: (from pj@localhost)
	by skalman.campus.luth.se (8.12.7/8.12.7/Submit) id h22HGMFt010661;
	Sun, 2 Mar 2003 18:16:22 +0100 (CET)
Message-Id: <200303021716.h22HGMFt010661@skalman.campus.luth.se>
Date: Sun, 2 Mar 2003 18:16:22 +0100 (CET)
From: Peter A Jonsson <pj@ludd.luth.se>
Reply-To: Peter A Jonsson <pj@ludd.luth.se>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Missing error checks in gzprintf.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48844
>Category:       bin
>Synopsis:       Missing error checks in gzprintf.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    peter
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 02 09:20:11 PST 2003
>Closed-Date:    Thu Mar 13 17:53:50 PST 2003
>Last-Modified:  Thu Mar 13 17:53:50 PST 2003
>Originator:     Peter A Jonsson
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
none.
>Environment:
System: FreeBSD skalman.campus.luth.se 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Feb 28 18:06:40 CET 2003 pantzer@skalman.campus.luth.se:/usr/obj/usr/src/sys/SKALMAN i386



>Description:
	In src/lib/libz/gzio.c the function gzprintf does not check if the
	amount of bytes (supposed to be) written by vsnprintf exceeds the 
	size of the buffer.
>How-To-Repeat:
	N/A
>Fix:
	From OpenBSD:

Index: gzio.c
===================================================================
RCS file: /home/ncvs/src/lib/libz/gzio.c,v
retrieving revision 1.8
diff -u -r1.8 gzio.c
--- gzio.c	11 Mar 2002 22:36:26 -0000	1.8
+++ gzio.c	2 Mar 2003 17:05:48 -0000
@@ -531,13 +531,13 @@
 
     va_start(va, format);
 #ifdef HAS_vsnprintf
-    (void)vsnprintf(buf, sizeof(buf), format, va);
+    len = vsnprintf(buf, sizeof(buf), format, va);
 #else
     (void)vsprintf(buf, format, va);
+    len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
 #endif
     va_end(va);
-    len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
-    if (len <= 0) return 0;
+    if (len <= 0 || len >= sizeof(buf)) return 0;
 
     return gzwrite(file, buf, (unsigned)len);
 }
@@ -554,14 +554,14 @@
     int len;
 
 #ifdef HAS_snprintf
-    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
 	     a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
 #else
     sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
 	    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#endif
     len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
-    if (len <= 0) return 0;
+#endif
+    if (len <= 0 || len >= sizeof(buf)) return 0;
 
     return gzwrite(file, buf, len);
 }


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->peter 
Responsible-Changed-By: johan 
Responsible-Changed-When: Thu Mar 6 11:39:35 PST 2003 
Responsible-Changed-Why:  
Over to libz maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48844 
State-Changed-From-To: open->closed 
State-Changed-By: jmz 
State-Changed-When: Thu Mar 13 17:52:54 PST 2003 
State-Changed-Why:  
Committed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48844 
>Unformatted:
