sources/unarj/unarj-2.65-overflow.diff

   1 --- unarj.c.orig        2006-08-26 13:28:46.000000000 +0200
   2 +++ unarj.c     2006-08-26 13:29:10.000000000 +0200
   3 @@ -213,7 +213,7 @@
   4  static short  method;
   5  static uint   file_mode;
   6  static ulong  time_stamp;
   7 -static short  entry_pos;
   8 +static ushort entry_pos;
   9  static ushort host_data;
  10  static uchar  *get_ptr;
  11  static UCRC   file_crc;
  12 @@ -604,6 +604,7 @@
  13          error(M_BADHEADR, "");
  14
  15      crc = CRC_MASK;
  16 +    memset(header, 0, sizeof(header));
  17      fread_crc(header, (int) headersize, fd);
  18      header_crc = fget_crc(fd);
  19      if ((crc ^ CRC_MASK) != header_crc)
  20 @@ -628,9 +629,13 @@
  21
  22      if (origsize < 0 || compsize < 0)
  23          error(M_HEADRCRC, "");
  24 +    if(first_hdr_size > headersize-2) /* need two \0 for file and comment */
  25 +        error(M_BADHEADR, "");
  26
  27      hdr_filename = (char *)&header[first_hdr_size];
  28      strncopy(filename, hdr_filename, sizeof(filename));
  29 +    if(entry_pos >= strlen(filename))
  30 +        error(M_BADHEADR, "");
  31      if (host_os != OS)
  32          strparity((uchar *)filename);
  33      if ((arj_flags & PATHSYM_FLAG) != 0)
  34 @@ -727,11 +732,11 @@
  35
  36      no_output = 0;
  37      if (command == 'E')
  38 -        strcpy(name, &filename[entry_pos]);
  39 +        strncopy(name, &filename[entry_pos], sizeof(name));
  40      else
  41      {
  42          strcpy(name, DEFAULT_DIR);
  43 -        strcat(name, filename);
  44 +        strncopy(name+strlen(name), filename, sizeof(name)-strlen(name));
  45      }
  46
  47      if (host_os != OS)