Synopsis: Format string vulnerability in zlib gzprintf()

Synopsis: Format string vulnerability in zlib gzprintf()
NetBSD versions: NetBSD-1.6
Thanks to: Bill Squier
Reported in NetBSD Security Advisory: NetBSD-SA2003-004

Index: src/lib/libz/gzio.c
===================================================================
RCS file: /cvsroot/src/lib/libz/gzio.c,v
retrieving revision 1.12
retrieving revision 1.12.2.1
diff -c -p -r1.12 -r1.12.2.1
*** src/lib/libz/gzio.c 2002/03/11 23:40:17 1.12
--- src/lib/libz/gzio.c 2003/03/05 19:47:41 1.12.2.1
*************** int ZEXPORTVA gzprintf (gzFile file, con
*** 531,544 ****
int len;

va_start(va, format);
! #ifdef HAS_vsnprintf
! (void)vsnprintf(buf, sizeof(buf), format, va);
! #else
! (void)vsprintf(buf, format, va);
! #endif
va_end(va);
! len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
! if (len <= 0) return 0;

return gzwrite(file, buf, (unsigned)len);
}
--- 531,539 ----
int len;

va_start(va, format);
! len = vsnprintf(buf, sizeof(buf), format, va);
va_end(va);
! if (len <= 0 || len >= sizeof(buf)) return 0;

return gzwrite(file, buf, (unsigned)len);
}
*************** int ZEXPORTVA gzprintf (file, format, a1
*** 554,568 ****
char buf[Z_PRINTF_BUFSIZE];
int len;

! #ifdef HAS_snprintf
! snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
! #else
! sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
! a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
! #endif
! len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
! if (len <= 0) return 0;

return gzwrite(file, buf, len);
}
--- 549,557 ----
char buf[Z_PRINTF_BUFSIZE];
int len;

! len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
! if (len <= 0 || len >= sizeof(buf)) return 0;

return gzwrite(file, buf, len);
}