cpp/openttd-patchpack/source Changeset - r21415:c7541491a072

Changeset - r21415:c7541491a072

Parent rev.

Child rev.

[Not reviewed]

master

0 2 0

rubidium - 10 years ago 2014-04-25 21:29:54
rubidium@openttd.org

(svn r26514) -Fix: rewrite link-in-tar handling so it doesn't use strncpy and it doesn't overrun its buffers anymore

2 files changed with 30 insertions and 21 deletions:

src/fileio.cpp

src/safeguards.h

0 comments (0 inline, 0 general)

src/fileio.cpp

➞

Show inline comments

@@ @@ -851,29 +851,38 @@ bool TarScanner::AddFile(const char *fil @@
 				char *pos = link;
 				while (*pos != '\0') {
 					char *next = strchr(link, PATHSEPCHAR);
 					if (next == NULL) next = pos + strlen(pos);
 					/* Skip '.' (current dir) */
 					if (next != pos + 1 || pos[0] != '.') {
 						if (next == pos + 2 && pos[0] == '.' && pos[1] == '.') {
 							/* level up */
 							if (dest[0] == '\0') {
 								DEBUG(misc, 1, "Ignoring link pointing outside of data directory: %s -> %s", name, link);
 								break;
+							}
 					char *next = strchr(pos, PATHSEPCHAR);
 					if (next == NULL) {
 						next = pos + strlen(pos);
 					} else {
 						/* Terminate the substring up to the path separator character. */
 						*next++= '\0';
+					}
 							/* Truncate 'dest' after last PATHSEPCHAR.
 							 * This assumes that the truncated part is a real directory and not a link. */
 							destpos = strrchr(dest, PATHSEPCHAR);
 							if (destpos == NULL) destpos = dest;
 						} else {
 							/* Append at end of 'dest' */
 							if (destpos != dest) *(destpos++) = PATHSEPCHAR;
 							strncpy(destpos, pos, next - pos); // Safe as we do '\0'-termination ourselves
 							destpos += next - pos;
 					if (strcmp(pos, ".") == 0) {
 						/* Skip '.' (current dir) */
 					} else if (strcmp(pos, "..") == 0) {
 						/* level up */
 						if (dest[0] == '\0') {
 							DEBUG(misc, 1, "Ignoring link pointing outside of data directory: %s -> %s", name, link);
 							break;
+						}
 						/* Truncate 'dest' after last PATHSEPCHAR.
 						 * This assumes that the truncated part is a real directory and not a link. */
 						destpos = strrchr(dest, PATHSEPCHAR);
 						if (destpos == NULL) destpos = dest;
 						*destpos = '\0';
 					} else {
 						/* Append at end of 'dest' */
 						if (destpos != dest) destpos = strecpy(destpos, PATHSEP, lastof(dest));
 						destpos = strecpy(destpos, pos, lastof(dest));
+					}
 					if (destpos >= lastof(dest)) {
 						DEBUG(misc, 0, "The length of a link in tar-file '%s' is too large (malformed?)", filename);
 						fclose(f);
 						return false;
+					}
 					pos = next;

src/safeguards.h

➞

Show inline comments

@@ @@ -36,7 +36,7 @@ @@
 /* Use strecpy instead. */
 #define strcpy    SAFEGUARD_DO_NOT_USE_THIS_METHOD
-//#define strncpy   SAFEGUARD_DO_NOT_USE_THIS_METHOD
 #define strncpy   SAFEGUARD_DO_NOT_USE_THIS_METHOD
 /* Use strecat instead. */
 #define strcat    SAFEGUARD_DO_NOT_USE_THIS_METHOD

0 comments (0 inline, 0 general)