© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Initial review shows several problems:
* chm_http.c doesn't check return value of fgets()
* chm_http.c and lzx.c doesn't check return values of malloc (possible null pointer dereference)
* extract_chmLib.c uses stat() resulting in TOCTOU (time of check/time of use) vulnerability (specifically possibility of directory symlink attacks)
* chm_lib.c has unsigned int assignment to signed int (line 1353)
* chm_lib.c doesn't always check for cmpLen < 0, which causes read/pread to be called with negative length (logic error, probably not exploitable)
* chm_lib.c doesn't check return values of read/pread
I could continue reviewing, but after spending the time with the code I did, I don't have a lot of confidence in it.