30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From 72e70a921f0f07fee748aec2274b30784e1d312a Mon Sep 17 00:00:00 2001
|
|
From: Stuart Caie <kyzer@cabextract.org.uk>
|
|
Date: Sat, 12 May 2018 10:51:34 +0100
|
|
Subject: [PATCH] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CHM=20?=
|
|
=?UTF-8?q?PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filenames.?=
|
|
=?UTF-8?q?=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?=
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
---
|
|
libmspack/mspack/chmd.c | 9 ++++++---
|
|
2 files changed, 16 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/mspack/chmd.c b/mspack/chmd.c
|
|
index c921c8c..9c32658 100644
|
|
--- a/mspack/chmd.c
|
|
+++ b/mspack/chmd.c
|
|
@@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
|
|
while (num_entries--) {
|
|
READ_ENCINT(name_len);
|
|
if (name_len > (unsigned int) (end - p)) goto chunk_end;
|
|
+ /* consider blank filenames to be an error */
|
|
+ if (name_len == 0) goto chunk_end;
|
|
name = p; p += name_len;
|
|
+
|
|
READ_ENCINT(section);
|
|
READ_ENCINT(offset);
|
|
READ_ENCINT(length);
|
|
|