|
 |
7c6846 |
From 7daeac0b9ad98c9cd5ea5f05d3028fe171ba403a Mon Sep 17 00:00:00 2001
|
|
|
7c6846 |
From: Stuart Caie <kyzer@cabextract.org.uk>
|
|
|
7c6846 |
Date: Sat, 12 May 2018 10:51:34 +0100
|
|
|
7c6846 |
Subject: [PATCH 1/3] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?=
|
|
|
7c6846 |
=?UTF-8?q?M=20PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filena?=
|
|
|
7c6846 |
=?UTF-8?q?mes.=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?=
|
|
|
7c6846 |
MIME-Version: 1.0
|
|
|
7c6846 |
Content-Type: text/plain; charset=UTF-8
|
|
|
7c6846 |
Content-Transfer-Encoding: 8bit
|
|
|
7c6846 |
|
|
|
7c6846 |
(cherry picked from commit 72e70a921f0f07fee748aec2274b30784e1d312a)
|
|
|
7c6846 |
---
|
|
|
7c6846 |
libmspack/trunk/mspack/chmd.c | 9 ++++++---
|
|
|
7c6846 |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
7c6846 |
|
|
|
7c6846 |
diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c
|
|
|
7c6846 |
index 5a6ef54..b799154 100644
|
|
|
7c6846 |
--- a/libmspack/trunk/mspack/chmd.c
|
|
|
7c6846 |
+++ b/libmspack/trunk/mspack/chmd.c
|
|
|
7c6846 |
@@ -1,5 +1,5 @@
|
|
|
7c6846 |
/* This file is part of libmspack.
|
|
|
7c6846 |
- * (C) 2003-2011 Stuart Caie.
|
|
|
7c6846 |
+ * (C) 2003-2018 Stuart Caie.
|
|
|
7c6846 |
*
|
|
|
7c6846 |
* libmspack is free software; you can redistribute it and/or modify it under
|
|
|
7c6846 |
* the terms of the GNU Lesser General Public License (LGPL) version 2.1
|
|
|
7c6846 |
@@ -397,7 +397,7 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
|
|
|
7c6846 |
D(("first pmgl chunk is after last pmgl chunk"))
|
|
|
7c6846 |
return MSPACK_ERR_DATAFORMAT;
|
|
|
7c6846 |
}
|
|
|
7c6846 |
- if (chm->index_root != 0xFFFFFFFF && chm->index_root > chm->num_chunks) {
|
|
|
7c6846 |
+ if (chm->index_root != 0xFFFFFFFF && chm->index_root >= chm->num_chunks) {
|
|
|
7c6846 |
D(("index_root outside valid range"))
|
|
|
7c6846 |
return MSPACK_ERR_DATAFORMAT;
|
|
|
7c6846 |
}
|
|
|
7c6846 |
@@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
|
|
|
7c6846 |
while (num_entries--) {
|
|
|
7c6846 |
READ_ENCINT(name_len);
|
|
|
7c6846 |
if (name_len > (unsigned int) (end - p)) goto chunk_end;
|
|
|
7c6846 |
+ /* consider blank filenames to be an error */
|
|
|
7c6846 |
+ if (name_len == 0) goto chunk_end;
|
|
|
7c6846 |
name = p; p += name_len;
|
|
|
7c6846 |
+
|
|
|
7c6846 |
READ_ENCINT(section);
|
|
|
7c6846 |
READ_ENCINT(offset);
|
|
|
7c6846 |
READ_ENCINT(length);
|
|
|
7c6846 |
@@ -622,7 +625,7 @@ static unsigned char *read_chunk(struct mschm_decompressor_p *self,
|
|
|
7c6846 |
unsigned char *buf;
|
|
|
7c6846 |
|
|
|
7c6846 |
/* check arguments - most are already checked by chmd_fast_find */
|
|
|
7c6846 |
- if (chunk_num > chm->num_chunks) return NULL;
|
|
|
7c6846 |
+ if (chunk_num >= chm->num_chunks) return NULL;
|
|
|
7c6846 |
|
|
|
7c6846 |
/* ensure chunk cache is available */
|
|
|
7c6846 |
if (!chm->chunk_cache) {
|
|
|
7c6846 |
--
|
|
|
7c6846 |
2.18.0
|
|
|
7c6846 |
|