Attachment 43787 Details for Bug 70966 – unarj-overflow.diff

[patch] unarj-overflow.diff

unarj-overflow.diff (text/plain), 1.49 KB, created by solar (RETIRED) on 2004-11-12 08:00:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: solar (RETIRED)

Created: 2004-11-12 08:00:38 UTC

Size: 1.49 KB

patch

obsolete

>Index: unarj-2.65/unarj.c
>===================================================================
>--- unarj-2.65.orig/unarj.c
>+++ unarj-2.65/unarj.c
>@@ -217,7 +217,7 @@ static uchar  arj_flags;
> static short  method;
> static uint   file_mode;
> static ulong  time_stamp;
>-static short  entry_pos;
>+static ushort entry_pos;
> static ushort host_data;
> static uchar  *get_ptr;
> static UCRC   file_crc;
>@@ -608,6 +608,7 @@ char *name;
>         error(M_BADHEADR, "");
> 
>     crc = CRC_MASK;
>+    memset(header, 0, sizeof(header));
>     fread_crc(header, (int) headersize, fd);
>     header_crc = fget_crc(fd);
>     if ((crc ^ CRC_MASK) != header_crc)
>@@ -632,9 +633,13 @@ char *name;
> 
>     if (origsize < 0 || compsize < 0)
>         error(M_HEADRCRC, "");
>+    if(first_hdr_size > headersize-2) /* need two \0 for file and comment */
>+        error(M_BADHEADR, "");
> 
>     hdr_filename = (char *)&header[first_hdr_size];
>     strncopy(filename, hdr_filename, sizeof(filename));
>+    if(entry_pos >= strlen(filename))
>+        error(M_BADHEADR, "");
>     if (host_os != OS)
>         strparity((uchar *)filename);
>     if ((arj_flags & PATHSYM_FLAG) != 0)
>@@ -733,11 +738,11 @@ extract()
> 
>     no_output = 0;
>     if (command == 'E')
>-        strcpy(name, &filename[entry_pos]);
>+        strncopy(name, &filename[entry_pos], sizeof(name));
>     else
>     {
>         strcpy(name, DEFAULT_DIR);
>-        strcat(name, filename);
>+        strncopy(name+strlen(name), filename, sizeof(name)-strlen(name));
>     }
> 
>     if (host_os != OS)

Actions: View | Diff

Attachments on bug 70966: 43787 | 43788 | 44273 | 44274