blob: 10ae0302f3a9aee8f3fab8e33711553377aac546 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From: Karol Babioch <kbabioch@suse.com>
Subject: Fix buffer overflow in password protected zip archives
Bug-Debian: https://bugs.debian.org/889838
Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
--- a/fileio.c
+++ b/fileio.c
@@ -1582,6 +1582,10 @@
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
+ char *zfnf;
+ char *efnf;
+ size_t zfnfl;
+ int isOverflow;
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,7 +1594,15 @@
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+ zfnf = FnFilter1(zfn);
+ efnf = FnFilter2(efn);
+ zfnfl = strlen(zfnf);
+ isOverflow = TRUE;
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
+ {
+ isOverflow = FALSE;
+ }
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
sprintf(prompt, LoadFarString(PasswPrompt),
FnFilter1(zfn), FnFilter2(efn));
m = prompt;
|
