Skip to content
Permalink
Browse files

length checks when looking for control files

  • Loading branch information...
kyz committed Feb 18, 2019
1 parent cb5d78c commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d
Showing with 19 additions and 13 deletions.
  1. +8 −0 libmspack/ChangeLog
  2. +11 −13 libmspack/mspack/chmd.c
@@ -1,3 +1,11 @@
2019-02-18 Stuart Caie <kyzer@cabextract.org.uk>

* chmd_read_headers(): a CHM file name beginning "::" but shorter
than 33 bytes will lead to reading past the freshly-allocated name
buffer - checks for specific control filenames didn't take length
into account. Thanks to ADLab of Venustech for the report and
proof of concept.

2018-11-03 Stuart Caie <kyzer@cabextract.org.uk>

* configure.ac, doc/Makefile.in, doc/Doxyfile.in: remove these
@@ -483,19 +483,17 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,

if (name[0] == ':' && name[1] == ':') {
/* system file */
if (memcmp(&name[2], &content_name[2], 31L) == 0) {
if (memcmp(&name[33], &content_name[33], 8L) == 0) {
chm->sec1.content = fi;
}
else if (memcmp(&name[33], &control_name[33], 11L) == 0) {
chm->sec1.control = fi;
}
else if (memcmp(&name[33], &spaninfo_name[33], 8L) == 0) {
chm->sec1.spaninfo = fi;
}
else if (memcmp(&name[33], &rtable_name[33], 72L) == 0) {
chm->sec1.rtable = fi;
}
if (name_len == 40 && memcmp(name, content_name, 40) == 0) {
chm->sec1.content = fi;
}
else if (name_len == 44 && memcmp(name, control_name, 44) == 0) {
chm->sec1.control = fi;
}
else if (name_len == 41 && memcmp(name, spaninfo_name, 41) == 0) {
chm->sec1.spaninfo = fi;
}
else if (name_len == 105 && memcmp(name, rtable_name, 105) == 0) {
chm->sec1.rtable = fi;
}
fi->next = chm->sysfiles;
chm->sysfiles = fi;

0 comments on commit 2f08413

Please sign in to comment.
You can’t perform that action at this time.