SecurityvulnsSECURITYVULNS:DOC:16349[Full-disclosure] Unrarlib 0.4.0 (urarlib_get) Local buffer overflow
Description:
in file unrarlib.c don't exist the check control of size len filename
passed in function urarlib_get() using strcpy()
Source error:
–
char ArcName[255]; /* RAR archive
…
int urarlib_get(void *output,
unsigned long *size,
char *filename,
void *rarfile,
char libpassword)
/ Get a file from a RAR file to the "output" buffer. The UniquE RAR
FileLib
- does everything from allocating memory, decrypting and unpacking the
file - from the archive. TRUE is returned if the file could be successfully
- extracted, else a FALSE indicates a failure.
*/
{
BOOL retcode = FALSE;
#ifdef _DEBUG_LOG
int str_offs; /* used for debug-strings
/
char DebugMsg[500]; / used to compose debug msg
*/
if(debug_log_first_start)
{
debug_log_first_start=FALSE; /* only create a new log
file /
debug_init(_DEBUG_LOG_FILE); / on startup
*/
}
#endif
InitCRC(); /* init some vars
*/
strcpy(ArgName, filename); /* set file(s) to extract
/
#ifdef _USE_MEMORY_TO_MEMORY_DECOMPRESSION
MemRARFile = rarfile; / set pointer to mem-RAR
file /
#else
strcpy(ArcName, rarfile); / set RAR file name
*/
#endif
– starcadi
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/