[Zlib-devel] potential overflows by sprintf/vsprintf in gzio.c
Glenn Randers-Pehrson
glennrp at comcast.net
Sat Apr 5 19:58:01 EST 2003
NetBSD is distributing a security vulnerability report and patch:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-004-zlib-1.6.patch
It relates to the lack of checking the length of the "buf" returned
by vsprintf in the gzprintf function in gzio.c.
zlib-1.2.0.1 appears to address the problem, but I don't
think it is quite right.
Lines 575 and 616 do check for len >= sizeof(buf) but that appears to
be unnecessary because len was returned by vsnprintf or snprintf,
respectively, which should have already checked the length and
returned a string that is within the sizeof(buf).
On the other hand, lines 558 and 597 do not check for overflow, but
here len was returned by vsprintf or sprintf, respectively, which
don't check the length.
Therefore, I would swap lines 558 and 575, and lines 597 and 616.
I'm still a little unhappy though because the checks occur after
the buf has potentially been overflowed. I don't see an easy way
around that problem, though.
Glenn
More information about the Zlib-devel
mailing list