[packages/lha.git] / lha-sec.patch

--- lha-114i/src/header.c.orig	2000-10-05 19:36:03.000000000 +0200
+++ lha-114i/src/header.c	2004-04-21 14:30:52.000000000 +0200
@@ -538,6 +538,10 @@
 				/*
 				 * filename
 				 */
+				if (header_size >= 256) {
+				  fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
+				  exit(109);
+				}
 				for (i = 0; i < header_size - 3; i++)
 					hdr->name[i] = (char) get_byte();
 				hdr->name[header_size - 3] = '\0';
@@ -547,6 +551,10 @@
 				/*
 				 * directory
 				 */
+				if (header_size >= FILENAME_LENGTH) {
+				  fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
+				  exit(110);
+				}
 				for (i = 0; i < header_size - 3; i++)
 					dirname[i] = (char) get_byte();
 				dirname[header_size - 3] = '\0';
--- lha-114i/src/lhext.c.orig	2000-10-04 16:57:38.000000000 +0200
+++ lha-114i/src/lhext.c	2004-04-21 14:30:52.000000000 +0200
@@ -190,8 +190,13 @@
 		q = (char *) rindex(hdr->name, '/') + 1;
 	}
 	else {
+		if (is_directory_traversal(q)) {
+		  fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
+		  exit(111);
+		}
+
 		if (*q == '/') {
-			q++;
+			while (*q == '/') { q++; }
 			/*
 			 * if OSK then strip device name
 			 */
@@ -419,6 +424,33 @@
 	return;
 }
 
+int
+is_directory_traversal(char *string)
+{
+  unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
+  char *temp;
+
+  temp = string;
+
+  while (*temp != 0) {
+    if (temp[0] == '/') {
+      if (type == 1) { return 1; }
+      type = 0;
+      temp++;
+      continue;
+    }
+
+    if ((temp[0] == '.') && (type < 2))
+      type = 1;
+    if (temp[0] != '.')
+      type = 2;
+
+    temp++;
+  } /* while */
+
+  return (type == 1);
+}
+
 /* Local Variables: */
 /* mode:c */
 /* tab-width:4 */
Commit	Line	Data
8bbc4a49 PG	1	--- lha-114i/src/header.c.orig 2000-10-05 19:36:03.000000000 +0200
	2	+++ lha-114i/src/header.c 2004-04-21 14:30:52.000000000 +0200
	3	@@ -538,6 +538,10 @@
	4	/*
	5	* filename
	6	*/
	7	+ if (header_size >= 256) {
	8	+ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
	9	+ exit(109);
	10	+ }
	11	for (i = 0; i < header_size - 3; i++)
	12	hdr->name[i] = (char) get_byte();
	13	hdr->name[header_size - 3] = '\0';
	14	@@ -547,6 +551,10 @@
	15	/*
	16	* directory
	17	*/
	18	+ if (header_size >= FILENAME_LENGTH) {
	19	+ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
	20	+ exit(110);
	21	+ }
	22	for (i = 0; i < header_size - 3; i++)
	23	dirname[i] = (char) get_byte();
	24	dirname[header_size - 3] = '\0';
	25	--- lha-114i/src/lhext.c.orig 2000-10-04 16:57:38.000000000 +0200
	26	+++ lha-114i/src/lhext.c 2004-04-21 14:30:52.000000000 +0200
	27	@@ -190,8 +190,13 @@
	28	q = (char *) rindex(hdr->name, '/') + 1;
	29	}
	30	else {
	31	+ if (is_directory_traversal(q)) {
	32	+ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
	33	+ exit(111);
	34	+ }
	35	+
	36	if (*q == '/') {
	37	- q++;
	38	+ while (*q == '/') { q++; }
	39	/*
	40	* if OSK then strip device name
	41	*/
	42	@@ -419,6 +424,33 @@
	43	return;
	44	}
	45
	46	+int
	47	+is_directory_traversal(char *string)
	48	+{
	49	+ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
	50	+ char *temp;
	51	+
	52	+ temp = string;
	53	+
	54	+ while (*temp != 0) {
	55	+ if (temp[0] == '/') {
	56	+ if (type == 1) { return 1; }
	57	+ type = 0;
	58	+ temp++;
	59	+ continue;
	60	+ }
	61	+
	62	+ if ((temp[0] == '.') && (type < 2))
	63	+ type = 1;
	64	+ if (temp[0] != '.')
65	+ type = 2;
66	+
67	+ temp++;
68	+ } /* while */
69	+
70	+ return (type == 1);
71	+}
72	+
73	/* Local Variables: */
74	/* mode:c */
75	/* tab-width:4 */