summaryrefslogtreecommitdiff
path: root/user/fastjar/CVE-2010-0831,2322.patch
blob: acf9f3e8697b9a0788a05a7712a250e06e7e5893 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
diff -ur fastjar-0.98.orig/jartool.c fastjar-0.98/jartool.c
--- fastjar-0.98.orig/jartool.c	2009-09-06 18:10:47.000000000 -0400
+++ fastjar-0.98/jartool.c	2010-04-28 17:15:09.000000000 -0400
@@ -1730,8 +1730,18 @@
       struct stat sbuf;
       int depth = 0;
 
+      if(strncmp((const char *)filename, "/", 1) == 0){
+        fprintf(stderr, "Absolute path names are not allowed.\n");
+        exit(EXIT_FAILURE);
+      }
+
       tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
 
+      if(tmp_buff == NULL) {
+        fprintf(stderr, "Out of memory.\n");
+        exit(EXIT_FAILURE);
+      }
+
       for(;;){
         const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
 
@@ -1749,14 +1759,17 @@
 #ifdef DEBUG    
         printf("checking the existance of %s\n", tmp_buff);
 #endif
-	if(strcmp(tmp_buff, "..") == 0){
-	  --depth;
-	  if (depth < 0){
-	    fprintf(stderr, "Traversal to parent directories during unpacking!\n");
-	    exit(EXIT_FAILURE);
-	  }
-	} else if (strcmp(tmp_buff, ".") != 0)
-	  ++depth;
+        if(strcmp(tmp_buff, "..") == 0 || (strlen(tmp_buff) > 2 && strncmp(tmp_buff + strlen(tmp_buff) - 3, "/..", 3) == 0)){
+          --depth;
+          if (depth < 0){
+            fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+            exit(EXIT_FAILURE);
+          }
+        } else if (strcmp(tmp_buff, ".") == 0 || (strlen(tmp_buff) > 1 && strncmp(tmp_buff + strlen(tmp_buff) - 2, "/.", 2) == 0)){
+          /* Do nothing, the current directory is "." */ 
+        } else
+          ++depth;
+
         if(stat(tmp_buff, &sbuf) < 0){
           if(errno != ENOENT)
             exit_on_error("stat");