Re: lha buffer overflow(s) again

[Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>]

> it seems that lha is quite poorly written. after your last advisory, i
> decided to take a look at the code and found 2 BO in function extract_one
> (file lhext.c):
>         if (extract_directory)
>                 sprintf(name, "%s/%s", extract_directory, q);
>         else
>                 strcpy(name, q);

The first case (when the if clause evaluates to true) is a buffer
overflow, but it only occurs when lha is called with long command
line parameters:

lha xw=[about 390-400 characters] some_lharc_archive.lha

(It also works with other commands than x.)

Since q has a size of 256, and name has a size of 257, the second
case is not really a problem.

I have attached a patch against the upstream version 1.14i that
corrects this.

// Ulf Harnhammar
   looking for a summer vacation job
   http://www.advogato.org/person/metaur/

Attachment: lha.obscure_buf_oflow.patch
Description: