42 lines
1.7 KiB
Diff
42 lines
1.7 KiB
Diff
From 72e70a921f0f07fee748aec2274b30784e1d312a Mon Sep 17 00:00:00 2001
|
|
From: Stuart Caie <kyzer@cabextract.org.uk>
|
|
Date: Sat, 12 May 2018 10:51:34 +0100
|
|
Subject: [PATCH] Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames. Thanks to Hanno Böck for reporting
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
---
|
|
libmspack/ChangeLog | 10 ++++++++++
|
|
libmspack/mspack/chmd.c | 9 ++++++---
|
|
2 files changed, 16 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/mspack/chmd.c b/mspack/chmd.c
|
|
index c921c8c..9c32658 100644
|
|
--- a/mspack/chmd.c
|
|
+++ b/mspack/chmd.c
|
|
@@ -1,5 +1,5 @@
|
|
/* This file is part of libmspack.
|
|
- * (C) 2003-2011 Stuart Caie.
|
|
+ * (C) 2003-2018 Stuart Caie.
|
|
*
|
|
* libmspack is free software; you can redistribute it and/or modify it under
|
|
* the terms of the GNU Lesser General Public License (LGPL) version 2.1
|
|
@@ -397,7 +397,7 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
|
|
D(("first pmgl chunk is after last pmgl chunk"))
|
|
return MSPACK_ERR_DATAFORMAT;
|
|
}
|
|
- if (chm->index_root != 0xFFFFFFFF && chm->index_root > chm->num_chunks) {
|
|
+ if (chm->index_root != 0xFFFFFFFF && chm->index_root >= chm->num_chunks) {
|
|
D(("index_root outside valid range"))
|
|
return MSPACK_ERR_DATAFORMAT;
|
|
}
|
|
@@ -622,7 +625,7 @@ static unsigned char *read_chunk(struct mschm_decompressor_p *self,
|
|
unsigned char *buf;
|
|
|
|
/* check arguments - most are already checked by chmd_fast_find */
|
|
- if (chunk_num > chm->num_chunks) return NULL;
|
|
+ if (chunk_num >= chm->num_chunks) return NULL;
|
|
|
|
/* ensure chunk cache is available */
|
|
if (!chm->chunk_cache) {
|