git-svn: trunk@1649
Trog authored on 2005/07/15 19:23:51... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Fri Jul 15 11:19:54 BST 2005 (trog) |
|
2 |
+----------------------------------- |
|
3 |
+ * libclamav/chmunpack.c: Fix possible malloc overflow. Reported by Alex Wheeler. |
|
4 |
+ |
|
1 | 5 |
Mon Jul 11 15:57:05 BST 2005 (njh) |
2 | 6 |
---------------------------------- |
3 | 7 |
* libclamav/tnef.c: Fix possible crash if the length field is 0 or negative |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
/* |
2 | 2 |
* Extract component parts of MS CHM files |
3 | 3 |
* |
4 |
- * Copyright (C) 2004 trog@uncon.org |
|
4 |
+ * Copyright (C) 2004-2005 trog@uncon.org |
|
5 | 5 |
* |
6 | 6 |
* This program is free software; you can redistribute it and/or modify |
7 | 7 |
* it under the terms of the GNU General Public License as published by |
... | ... |
@@ -480,13 +480,23 @@ static int read_chunk_entries(unsigned char *chunk, uint32_t chunk_len, |
480 | 480 |
file_e->next = NULL; |
481 | 481 |
|
482 | 482 |
name_len = read_enc_int(¤t, end); |
483 |
- file_e->name = (unsigned char *) cli_malloc(name_len+1); |
|
484 |
- if (!file_e->name) { |
|
485 |
- free(file_e); |
|
486 |
- return FALSE; |
|
483 |
+ if (name_len > 0xFFFFFF) { |
|
484 |
+ cli_dbgmsg("CHM file name too long: %llu\n", name_len); |
|
485 |
+ file_e->name = (unsigned char *) cli_malloc(10); |
|
486 |
+ if (!file_e->name) { |
|
487 |
+ free(file_e); |
|
488 |
+ return FALSE; |
|
489 |
+ } |
|
490 |
+ file_e->name = strdup("truncated"); |
|
491 |
+ } else { |
|
492 |
+ file_e->name = (unsigned char *) cli_malloc(name_len+1); |
|
493 |
+ if (!file_e->name) { |
|
494 |
+ free(file_e); |
|
495 |
+ return FALSE; |
|
496 |
+ } |
|
497 |
+ strncpy(file_e->name, current, name_len); |
|
498 |
+ file_e->name[name_len] = '\0'; |
|
487 | 499 |
} |
488 |
- strncpy(file_e->name, current, name_len); |
|
489 |
- file_e->name[name_len] = '\0'; |
|
490 | 500 |
current += name_len; |
491 | 501 |
file_e->section = read_enc_int(¤t, end); |
492 | 502 |
file_e->offset = read_enc_int(¤t, end); |