Bug#825698: cvsps: crashes on file name as module name

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#825698: cvsps: crashes on file name as module name
From: Raphael Geissert <geissert@debian.org>
Date: Sat, 28 May 2016 23:41:21 +0200
Message-id: <[🔎] CAA7hUgEcs-=q7BdXkiDtJU1xrEB1UiD2EAr+VSB7aLuU2q4Kww@mail.gmail.com>
Reply-to: Raphael Geissert <geissert@debian.org>, 825698@bugs.debian.org

Package: cvsps
Version: 2.1-7
Tags: patch

Hi,

cvsps crashes whenever it is passed a file name as the module name.
Attached patch makes it bail out instead.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Index: cvsps-2.1/cvsps.c
===================================================================
--- cvsps-2.1.orig/cvsps.c
+++ cvsps-2.1/cvsps.c
@@ -1118,6 +1118,11 @@ static CvsFile * parse_file(const char *
  ok:
     path_ok = 1;
 
+    if (strip_path_len > len) {
+	debug(DEBUG_APPMSG1, "WARNING: given path looks like a file, strip_path_len shouldn't be greater than len");
+	return NULL;
+    }
+
     /* remove from beginning the 'strip_path' string */
     len -= strip_path_len;
     memmove(fn, fn + strip_path_len, len);

Reply to:

Prev by Date: Bug#825697: cvsps: crashes on missing password
Next by Date: Р*A}*C*Ы*Л*K*И
Previous by thread: Bug#825697: cvsps: crashes on missing password
Next by thread: Р*A}*C*Ы*Л*K*И
Index(es):
- Date
- Thread