--- lha-114i/src/lha_macro.h.sec2 2000-10-04 16:57:38.000000000 +0200 +++ lha-114i/src/lha_macro.h 2004-09-16 10:12:36.064017603 +0200 @@ -53,7 +53,7 @@ #define SEEK_SET 0 #define SEEK_CUR 1 #define SEEK_END 2 -#endif /* SEEK_SET +#endif /* SEEK_SET */ /* non-integral functions */ --- lha-114i/src/lharc.c.sec2 2004-09-16 10:12:36.012016224 +0200 +++ lha-114i/src/lharc.c 2004-09-16 10:16:44.074592636 +0200 @@ -830,9 +830,10 @@ DIRENTRY *dp; struct stat tmp_stbuf, arc_stbuf, fil_stbuf; - strcpy(newname, name); + strncpy(newname, name, sizeof(newname)); + newname[sizeof(newname)-1] = 0; len = strlen(name); - if (len > 0 && newname[len - 1] != '/') + if (len > 0 && newname[len - 1] != '/' && len < (sizeof(newname)-1)) newname[len++] = '/'; dirp = opendir(name); @@ -846,6 +847,11 @@ for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) { n = NAMLEN(dp); + if (len >= (sizeof(newname)-1) || + (len+n) >= (sizeof(newname)-1) || + n <= 0 || + (len+n) <= 0) + break; strncpy(newname + len, dp->d_name, n); newname[len + n] = '\0'; if (GETSTAT(newname, &fil_stbuf) < 0) @@ -903,7 +909,8 @@ strcpy(temporary_name, TMP_FILENAME_TEMPLATE); } else { - sprintf(temporary_name, "%s/lhXXXXXX", extract_directory); + snprintf(temporary_name, sizeof(temporary_name), + "%s/lhXXXXXX", extract_directory); } #ifdef MKSTEMP mkstemp(temporary_name); @@ -913,10 +920,16 @@ #else char *p, *s; - strcpy(temporary_name, archive_name); + strncpy(temporary_name, archive_name, sizeof(temporary_name)); + temporary_name[sizeof(temporary_name)-1] = 0; for (p = temporary_name, s = (char *) 0; *p; p++) if (*p == '/') s = p; + + if( sizeof(temporary_name) - ((size_t) (s-temporary_name)) - 1 + <= strlen("lhXXXXXX")) + exit(-1); + strcpy((s ? s + 1 : temporary_name), "lhXXXXXX"); #ifdef MKSTEMP mkstemp(temporary_name); @@ -1053,12 +1066,14 @@ if (open_old_archive_1(archive_name, &fp)) return fp; - sprintf(expanded_archive_name, "%s%s", archive_name, ARCHIVENAME_EXTENTION); + snprintf(expanded_archive_name, sizeof(expanded_archive_name), + "%s%s", archive_name, ARCHIVENAME_EXTENTION); if (open_old_archive_1(expanded_archive_name, &fp)) { archive_name = expanded_archive_name; return fp; } - sprintf(expanded_archive_name, "%s.lzh", archive_name); + snprintf(expanded_archive_name, sizeof(expanded_archive_name), + "%s.lzh", archive_name); if (open_old_archive_1(expanded_archive_name, &fp)) { archive_name = expanded_archive_name; return fp; @@ -1067,7 +1082,8 @@ * if ( (errno&0xffff)!=E_PNNF ) { archive_name = * expanded_archive_name; return NULL; } */ - sprintf(expanded_archive_name, "%s.lzs", archive_name); + snprintf(expanded_archive_name, sizeof(expanded_archive_name), + "%s.lzs", archive_name); if (open_old_archive_1(expanded_archive_name, &fp)) { archive_name = expanded_archive_name; return fp; --- lha-114i/src/lhext.c.sec2 2004-09-16 10:12:36.041016993 +0200 +++ lha-114i/src/lhext.c 2004-09-16 10:12:36.067017682 +0200 @@ -82,7 +82,8 @@ register char *p; /* make parent directory name into PATH for recursive call */ - strcpy(path, name); + memset(path, 0, sizeof(path)); + strncpy(path, name, sizeof(path)-1); for (p = path + strlen(path); p > path; p--) if (p[-1] == '/') { *--p = '\0'; @@ -212,9 +213,11 @@ } if (extract_directory) - sprintf(name, "%s/%s", extract_directory, q); - else - strcpy(name, q); + snprintf(name, sizeof(name), "%s/%s", extract_directory, q); + else { + strncpy(name, q, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + } /* LZHDIRS_METHODを持つヘッダをチェックする */ @@ -335,7 +338,8 @@ if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) { char buf[256], *bb1, *bb2; int l_code; - strcpy(buf, name); + strncpy(buf, name, sizeof(buf)); + buf[sizeof(buf)-1] = 0; bb1 = strtok(buf, "|"); bb2 = strtok(NULL, "|"); @@ -365,9 +369,10 @@ if (quiet != TRUE) { printf("Symbolic Link %s -> %s\n", bb1, bb2); } - strcpy(name, bb1); /* Symbolic's name set */ + strncpy(name, bb1, 255); /* Symbolic's name set */ + name[255] = 0; #else - sprintf(buf, "%s -> %s", bb1, bb2); + sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2); warning("Can't make Symbolic Link", buf); return; #endif --- lha-114i/src/lhlist.c.sec2 2000-10-04 16:57:38.000000000 +0200 +++ lha-114i/src/lhlist.c 2004-09-16 10:12:36.067017682 +0200 @@ -250,7 +250,8 @@ printf(" %s", hdr->name); else { char buf[256], *b1, *b2; - strcpy(buf, hdr->name); + strncpy(buf, hdr->name, sizeof(buf)); + buf[sizeof(buf)-1] = 0; b1 = strtok(buf, "|"); b2 = strtok(NULL, "|"); printf(" %s -> %s", b1, b2); --- lha-114i/src/util.c.sec2 2000-10-04 16:57:38.000000000 +0200 +++ lha-114i/src/util.c 2004-09-16 10:12:36.068017709 +0200 @@ -276,21 +276,27 @@ char *path; { int stat, rtn = 0; - char *cmdname; - if ((cmdname = (char *) malloc(strlen(RMDIRPATH) + 1 + strlen(path) + 1)) - == 0) + pid_t child; + + + /* XXX thomas: shell meta chars in path could exec commands */ + /* therefore we should avoid using system() */ + if ((child = fork()) < 0) + return (-1); /* fork error */ + else if (child) { /* parent process */ + while (child != wait(&stat)) /* ignore signals */ + continue; + } + else { /* child process */ + execl(RMDIRPATH, "rmdir", path, (char *) 0); + /* never come here except execl is error */ return (-1); - strcpy(cmdname, RMDIRPATH); - *(cmdname + strlen(RMDIRPATH)) = ' '; - strcpy(cmdname + strlen(RMDIRPATH) + 1, path); - if ((stat = system(cmdname)) < 0) - rtn = -1; /* fork or exec error */ - else if (stat) { /* RMDIR command error */ - errno = EIO; - rtn = -1; } - free(cmdname); - return (rtn); + if (stat != 0) { + errno = EIO; /* cannot get error num. */ + return (-1); + } + return (0); } /* ------------------------------------------------------------------------ */