gcc-patches@gcc.gnu.org
[Top] [All Lists]

[4.0/4.1] fastjar fix for PR28359

Subject: [4.0/4.1] fastjar fix for PR28359
From: Matthias Klose
Date: Fri, 4 Aug 2006 15:06:33 +0200
Not yet applied to the active release branches. Ok to checkin?

  Matthias

2006-08-04  Matthias Klose  <doko@xxxxxxxxxx>

        PR fastjar/28359 / CVE-2006-3619

        2006-07-17  Richard Guenther  <rguenther@xxxxxxx>
        * jartool.c (extract_jar): Do not allow directory traversal
        to parents of the extraction root.

Index: jartool.c
===================================================================
--- jartool.c   (revision 115922)
+++ jartool.c   (working copy)
@@ -1736,6 +1736,7 @@
       const ub1 *start = filename;
       char *tmp_buff;
       struct stat sbuf;
+      int depth = 0;
 
       tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
 
@@ -1756,7 +1757,14 @@
 #ifdef DEBUG    
         printf("checking the existance of %s\n", tmp_buff);
 #endif
-
+       if(strcmp(tmp_buff, "..") == 0){
+         --depth;
+         if (depth < 0){
+           fprintf(stderr, "Traversal to parent directories during 
unpacking!\n");
+           exit(1);
+         }
+       } else if (strcmp(tmp_buff, ".") != 0)
+         ++depth;
         if(stat(tmp_buff, &sbuf) < 0){
           if(errno != ENOENT){
             perror("stat");

<Prev in Thread] Current Thread [Next in Thread>