X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=libatalk%2Fadouble%2Fad_open.c;h=19627794ebf18610ee50861f3ffd586710ec67b1;hb=a2644c56a27c827ae5215e89f8885f95010a728b;hp=44aeb5efe2ce0337cd6450a9016d1bc2ea6e33e5;hpb=fbb8028e119c9775b85be4275eb210c7a4792d7d;p=netatalk.git diff --git a/libatalk/adouble/ad_open.c b/libatalk/adouble/ad_open.c index 44aeb5ef..19627794 100644 --- a/libatalk/adouble/ad_open.c +++ b/libatalk/adouble/ad_open.c @@ -1,5 +1,5 @@ /* - * $Id: ad_open.c,v 1.30.6.14 2004-05-11 08:28:33 didg Exp $ + * $Id: ad_open.c,v 1.30.6.18.2.1 2005-01-25 14:32:00 didg Exp $ * * Copyright (c) 1999 Adrian Sun (asun@u.washington.edu) * Copyright (c) 1990,1991 Regents of The University of Michigan. @@ -257,6 +257,20 @@ static int ad_update(struct adouble *ad, const char *path) LOG(log_debug, logtype_default, "ad_update: file '%s' too big for update.", path); goto bail_truncate; } + + off = ad->ad_eid[ADEID_RFORK].ade_off; + if (off > st.st_size) { + LOG(log_error, logtype_default, "ad_v1tov2: invalid resource fork offset. (off: %u)", off); + errno = EIO; + goto bail_truncate; + } + + if (ad->ad_eid[ADEID_RFORK].ade_len > st.st_size - off) { + LOG(log_error, logtype_default, "ad_v1tov2: invalid resource fork length. (rfork len: %u)", ad->ad_eid[ADEID_RFORK].ade_len); + errno = EIO; + goto bail_truncate; + } + /* last place for failure. */ if ((void *) (buf = (char *) mmap(NULL, st.st_size + shiftdata, @@ -265,7 +279,6 @@ static int ad_update(struct adouble *ad, const char *path) goto bail_truncate; } - off = ad->ad_eid[ADEID_RFORK].ade_off; /* move the RFORK. this assumes that the RFORK is at the end */ if (off) { @@ -381,6 +394,20 @@ static int ad_v1tov2(struct adouble *ad, const char *path) LOG(log_debug, logtype_default, "ad_v1tov2: file too big."); goto bail_truncate; } + + off = ad->ad_eid[ADEID_RFORK].ade_off; + + if (off > st.st_size) { + LOG(log_error, logtype_default, "ad_v1tov2: invalid resource fork offset. (off: %u)", off); + errno = EIO; + goto bail_truncate; + } + + if (ad->ad_eid[ADEID_RFORK].ade_len > st.st_size - off) { + LOG(log_error, logtype_default, "ad_v1tov2: invalid resource fork length. (rfork len: %u)", ad->ad_eid[ADEID_RFORK].ade_len); + errno = EIO; + goto bail_truncate; + } /* last place for failure. */ if ((void *) (buf = (char *) @@ -390,8 +417,6 @@ static int ad_v1tov2(struct adouble *ad, const char *path) goto bail_truncate; } - off = ad->ad_eid[ADEID_RFORK].ade_off; - /* move the RFORK. this assumes that the RFORK is at the end */ if (off) { memmove(buf + ADEDOFF_RFORK_V2, buf + off, ad->ad_eid[ADEID_RFORK].ade_len); @@ -516,7 +541,8 @@ static void parse_entries(struct adouble *ad, char *buf, len = ntohl( len ); buf += sizeof( len ); - if ( 0 < eid && eid < ADEID_MAX ) { + if (eid && eid < ADEID_MAX && ( (off < sizeof(ad->ad_data) && + off +len <= sizeof(ad->ad_data)) || eid == ADEID_RFORK)) { ad->ad_eid[ eid ].ade_off = off; ad->ad_eid[ eid ].ade_len = len; } else if (!warning) { @@ -1166,8 +1192,8 @@ static int new_rfork(const char *path, struct adouble *ad, int adflags) &ashort, sizeof(ashort)); } else { /* set default creator/type fields */ - memcpy(ad_entry(ad, ADEID_FINDERI) + FINDERINFO_FRTYPEOFF,"TEXT", 4); - memcpy(ad_entry(ad, ADEID_FINDERI) + FINDERINFO_FRCREATOFF,"UNIX", 4); + memcpy(ad_entry(ad, ADEID_FINDERI) + FINDERINFO_FRTYPEOFF,"\0\0\0\0", 4); + memcpy(ad_entry(ad, ADEID_FINDERI) + FINDERINFO_FRCREATOFF,"\0\0\0\0", 4); } /* make things invisible */