head	1.2;
access;
symbols
	RELEASE_8_3_0:1.2
	RELEASE_9_0_0:1.2
	RELEASE_7_4_0:1.2
	RELEASE_8_2_0:1.2
	RELEASE_6_EOL:1.2
	RELEASE_8_1_0:1.2
	RELEASE_7_3_0:1.2
	RELEASE_8_0_0:1.2
	RELEASE_7_2_0:1.2
	RELEASE_7_1_0:1.2
	RELEASE_6_4_0:1.2
	RELEASE_5_EOL:1.2
	RELEASE_7_0_0:1.2
	RELEASE_6_3_0:1.2
	PRE_XORG_7:1.2
	RELEASE_4_EOL:1.2
	RELEASE_6_2_0:1.2
	RELEASE_6_1_0:1.2
	RELEASE_5_5_0:1.2
	RELEASE_6_0_0:1.2
	RELEASE_5_4_0:1.2
	RELEASE_4_11_0:1.2
	RELEASE_5_3_0:1.2;
locks; strict;
comment	@# @;


1.2
date	2004.09.22.06.16.54;	author dinoex;	state Exp;
branches;
next	1.1;

1.1
date	2004.09.04.19.28.25;	author dinoex;	state Exp;
branches;
next	;


desc
@@


1.2
log
@- Security Fix
possible off by one bounds check
Submitted by:	Munehiro Matsuda
Approved by:	portmgr (marcus)
@
text
@--- src/header.c	2002-07-19 17:23:58.000000000 +0900
+++ src/header.c	2004-06-16 09:49:23.000000000 +0900
@@@@ -648,8 +648,17 @@@@
 	}
 
 	if (dir_length) {
+		if ((dir_length + name_length) >= sizeof(dirname)) {
+			fprintf(stderr, "Insufficient buffer size\n");
+			exit(112);
+		}
 		strcat(dirname, hdr->name);
-		strcpy(hdr->name, dirname);
+
+		if ((dir_length + name_length) >= sizeof(hdr->name)) {
+			fprintf(stderr, "Insufficient buffer size\n");
+			exit(112);
+		}
+		strncpy(hdr->name, dirname, sizeof(hdr->name));
 		name_length += dir_length;
 	}
@


1.1
log
@- Security fix
Submitted by:	eik
Approved by:	portmgr (eik)
Obtained from:	redhat
@
text
@d7 1
a7 1
+		if ((dir_length + name_length) > sizeof(dirname)) {
d14 1
a14 1
+		if ((dir_length + name_length) > sizeof(hdr->name)) {
@

