Synopsis: gzip buffer overrun with long filename
NetBSD versions: 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5, 1.5.1, 1.5.2, -current
Thanks to: Jun-ichiro itojun Hagino
Reported in NetBSD Security Advisory: NetBSD-SA2002-002

Index: gzip.c
===================================================================
RCS file: /cvsroot/gnusrc/gnu/usr.bin/gzip/gzip.c,v
retrieving revision 1.6
retrieving revision 1.6.6.1
diff -c -p -r1.6 -r1.6.6.1
*** gzip.c	1999/08/20 02:36:28	1.6
--- gzip.c	2002/01/16 10:03:34	1.6.6.1
*************** local int get_istat(iname, sbuf)
*** 1005,1011 ****
  #ifdef NO_MULTIPLE_DOTS
      char *dot; /* pointer to ifname extension, or NULL */
  #endif
! 
      strcpy(ifname, iname);
  
      /* If input file exists, return OK. */
--- 1005,1018 ----
  #ifdef NO_MULTIPLE_DOTS
      char *dot; /* pointer to ifname extension, or NULL */
  #endif
!     int max_suffix_len = (z_len > 3 ? z_len : 3);
!  
!     /* Leave enough room in ifname or ofname for suffix: */
!     if (strlen(iname) >= sizeof(ifname) - max_suffix_len) {
! 	strncpy(ifname, iname, sizeof(ifname) - 1);
! 	/* last byte of ifname is already zero and never overwritten */
! 	error("file name too long");
!     }
      strcpy(ifname, iname);
  
      /* If input file exists, return OK. */