> it seems that lha is quite poorly written. after your last advisory, i > decided to take a look at the code and found 2 BO in function extract_one > (file lhext.c): > if (extract_directory) > sprintf(name, "%s/%s", extract_directory, q); > else > strcpy(name, q); The first case (when the if clause evaluates to true) is a buffer overflow, but it only occurs when lha is called with long command line parameters: lha xw=[about 390-400 characters] some_lharc_archive.lha (It also works with other commands than x.) Since q has a size of 256, and name has a size of 257, the second case is not really a problem. I have attached a patch against the upstream version 1.14i that corrects this. // Ulf Harnhammar looking for a summer vacation job http://www.advogato.org/person/metaur/
Attachment:
lha.obscure_buf_oflow.patch
Description: Binary data