File pigz-strip-path.patch of Package pigz.523

Overview Repositories Revisions Requests Users Attributes Meta

File pigz-strip-path.patch of Package pigz.523

From fdad1406b3ec809f4954ff7cdf9e99eb18c2458f Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Sun, 11 Jan 2015 20:21:24 -0800
Subject: [PATCH] When decompressing with -N or -NT, strip any path from
 header name.

This uses the path of the compressed file combined with the name
from the header as the name of the decompressed output file.  Any
path information in the header name is stripped.  This avoids a
possible vulnerability where absolute or descending paths are put
in the gzip header.
---
 pigz.c | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

Index: pigz-2.3/pigz.c
===================================================================
--- pigz-2.3.orig/pigz.c
+++ pigz-2.3/pigz.c
@@ -3295,24 +3295,33 @@ local void process(char *path)
                  " (use -f to force)");
     }
     else {
-        char *to, *repl;
+        char *to = g.inf, *sufx = "";
+        size_t pre = 0;
 
-        /* use header name for output when decompressing with -N */
-        to = g.inf;
-        if (g.decode && (g.headis & 1) != 0 && g.hname != NULL) {
-            to = g.hname;
-            len = strlen(g.hname);
+        /* select parts of the output file name */
+        if (g.decode) {
+            /* for -dN or -dNT, use the path from the input file and the name
+               from the header, stripping any path in the header name */
+            if ((g.headis & 1) != 0 && g.hname != NULL) {
+                pre = justname(g.inf) - g.inf;
+                to = justname(g.hname);
+                len = strlen(to);
+            }
+            /* for -d or -dNn, replace abbreviated suffixes */
+            else if (strcmp(to + len, ".tgz") == 0)
+                sufx = ".tar";
         }
-
-        /* replace .tgx with .tar when decoding */
-        repl = g.decode && strcmp(to + len, ".tgz") ? "" : ".tar";
+        else
+            /* add appropriate suffix when compressing */
+            sufx = g.sufx;
 
         /* create output file and open to write */
-        g.outf = malloc(len + (g.decode ? strlen(repl) : strlen(g.sufx)) + 1);
+        g.outf = malloc(pre + len + strlen(sufx) + 1);
         if (g.outf == NULL)
             bail("not enough memory", "");
-        memcpy(g.outf, to, len);
-        strcpy(g.outf + len, g.decode ? repl : g.sufx);
+        memcpy(g.outf, g.inf, pre);
+        memcpy(g.outf + pre, to, len);
+        strcpy(g.outf + pre + len, sufx);
         g.outd = open(g.outf, O_CREAT | O_TRUNC | O_WRONLY |
                              (g.force ? 0 : O_EXCL), 0600);

Places

File pigz-strip-path.patch of Package pigz.523

Places