blob: 37289d1a539b19b0be2ed15a9702453b367c8e3d [file] [log] [blame]
From 349f566e6e757458843fa164a0f0584280e1501e Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Wed, 15 Aug 2018 16:20:53 +0800
Subject: [PATCH] unzip: fix CVE-2018-1000035
Upstream-Status: Backport
CVE: CVE-2018-1000035
backport from unzip6.10c23
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
fileio.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fileio.c b/fileio.c
index 36bfea3..7605a29 100644
--- a/fileio.c
+++ b/fileio.c
@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
+ char *ep;
+ char *zp;
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
- sprintf(prompt, LoadFarString(PasswPrompt),
- FnFilter1(zfn), FnFilter2(efn));
+ zp = FnFilter1( zfn);
+ ep = FnFilter2( efn);
+ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
+ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
+ if (prompt != (char *)NULL) {
+ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
m = prompt;
} else
m = (char *)LoadFarString(PasswPrompt2);
--
2.7.4