bin/45285: makefs does not properly convert ISO level 1 and 2 filenames (buffer overflow)

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/45285: makefs does not properly convert ISO level 1 and 2 filenames (buffer overflow)
From: mm%FreeBSD.org@localhost
Date: Tue, 23 Aug 2011 16:15:01 +0000 (UTC)

>Number:         45285
>Category:       bin
>Synopsis:       makefs does not properly convert ISO level 1 and 2 filenames 
>(buffer overflow)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 23 16:15:00 +0000 2011
>Originator:     Martin Matuska
>Release:        any
>Organization:
FreeBSD
>Environment:
>Description:
makefs does not properly verify the maximum filename length in the special "." 
case for both ISO level 1 and ISO level 2 filename conversion.
This creates broken images or causes a buffer overflow (ISO level 2).

ISO level 1:
If a filename contains only dots or up to 8 characters followed by dots the 8+3 
limit check doesn't work.

ISO level 2:
If a filename contains a dot in the first 30 characters and a dot on the 30th 
character, the length limit check doesn't work and the buffer is overflowed.
>How-To-Repeat:
mkdir level1
touch level1/12345............
makefs -t cd9660 -o isolevel=1 test.iso level1

mkdir level2
touch level2/1234567890.2345678901234567.....34567890123456789012345
makefs -t cd9660 -o isolevel=2 test.iso level2
>Fix:
Index: src/usr.sbin/makefs/cd9660.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/makefs/cd9660.c,v
retrieving revision 1.31
diff -u -p -r1.31 cd9660.c
--- src/usr.sbin/makefs/cd9660.c        6 Aug 2011 23:25:19 -0000       1.31
+++ src/usr.sbin/makefs/cd9660.c        23 Aug 2011 16:02:27 -0000
@@ -1637,7 +1637,7 @@ cd9660_level1_convert_filename(const cha
 
        while (*oldname != '\0') {
                /* Handle period first, as it is special */
-               if (*oldname == '.') {
+               if (*oldname == '.' && extlen < 3) {
                        if (found_ext) {
                                *newname++ = '_';
                                extlen ++;
@@ -1652,8 +1652,7 @@ cd9660_level1_convert_filename(const cha
                            *oldname == ',' && strlen(oldname) == 4)
                                break;
                        /* Enforce 12.3 / 8 */
-                       if (((namelen == 8) && !found_ext) ||
-                           (found_ext && extlen == 3)) {
+                       if (namelen == 8 && !found_ext)
                                break;
                        }
 
@@ -1698,7 +1697,7 @@ cd9660_level2_convert_filename(const cha
        int extlen = 0;
        int found_ext = 0;
 
-       while (*oldname != '\0') {
+       while (*oldname != '\0' && namelen + extlen < 30) {
                /* Handle period first, as it is special */
                if (*oldname == '.') {
                        if (found_ext) {
@@ -1718,8 +1717,6 @@ cd9660_level2_convert_filename(const cha
                        if (diskStructure.archimedes_enabled &&
                            *oldname == ',' && strlen(oldname) == 4)
                                break;
-                       if ((namelen + extlen) == 30)
-                               break;
 
                         if (islower((unsigned char)*oldname))
                                *newname++ = toupper((unsigned char)*oldname);

Prev by Date: Re: bin/45269 (sh fails to strip trailing newline in command substitution, breaking build)
Next by Date: Re: bin/45269 (sh fails to strip trailing newline in command substitution, breaking build)
Previous by Thread: Re: bin/45269 (sh fails to strip trailing newline in command substitution, breaking build)
Next by Thread: Re: bin/45285 (makefs does not properly convert ISO level 1 and 2 filenames (buffer overflow))
Indexes:

Home | Main Index | Thread Index | Old Index