From owner-svn-src-head@FreeBSD.ORG  Tue Aug 23 19:49:06 2011
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 846C21065676;
	Tue, 23 Aug 2011 19:49:06 +0000 (UTC) (envelope-from mm@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 746238FC1D;
	Tue, 23 Aug 2011 19:49:06 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p7NJn6DW017067;
	Tue, 23 Aug 2011 19:49:06 GMT (envelope-from mm@svn.freebsd.org)
Received: (from mm@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p7NJn6YZ017065;
	Tue, 23 Aug 2011 19:49:06 GMT (envelope-from mm@svn.freebsd.org)
Message-Id: <201108231949.p7NJn6YZ017065@svn.freebsd.org>
From: Martin Matuska <mm@FreeBSD.org>
Date: Tue, 23 Aug 2011 19:49:06 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r225121 - head/usr.sbin/makefs
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2011 19:49:06 -0000

Author: mm
Date: Tue Aug 23 19:49:06 2011
New Revision: 225121
URL: http://svn.freebsd.org/changeset/base/225121

Log:
  Fix buffer overflow and possible ISO image corruption in wrong
  handling of "." character case in makefs ISO level 1 and 2 filename
  conversion.
  
  Filed as NetBSD PR #45285
  http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=45285
  
  Reviewed by:	Christos Zoulas <christos@netbsd.org>
  Approved by:	re (kib)
  MFC after:	3 days

Modified:
  head/usr.sbin/makefs/cd9660.c

Modified: head/usr.sbin/makefs/cd9660.c
==============================================================================
--- head/usr.sbin/makefs/cd9660.c	Tue Aug 23 19:29:11 2011	(r225120)
+++ head/usr.sbin/makefs/cd9660.c	Tue Aug 23 19:49:06 2011	(r225121)
@@ -1627,7 +1627,7 @@ cd9660_level1_convert_filename(const cha
 	int extlen = 0;
 	int found_ext = 0;
 
-	while (*oldname != '\0') {
+	while (*oldname != '\0' && extlen < 3) {
 		/* Handle period first, as it is special */
 		if (*oldname == '.') {
 			if (found_ext) {
@@ -1644,10 +1644,8 @@ cd9660_level1_convert_filename(const cha
 			    *oldname == ',' && strlen(oldname) == 4)
 				break;
 			/* Enforce 12.3 / 8 */
-			if (((namelen == 8) && !found_ext) ||
-			    (found_ext && extlen == 3)) {
+			if (namelen == 8 && !found_ext)
 				break;
-			}
 
 			if (islower((unsigned char)*oldname))
 				*newname++ = toupper((unsigned char)*oldname);
@@ -1690,7 +1688,7 @@ cd9660_level2_convert_filename(const cha
 	int extlen = 0;
 	int found_ext = 0;
 
-	while (*oldname != '\0') {
+	while (*oldname != '\0' && namelen + extlen < 30) {
 		/* Handle period first, as it is special */
 		if (*oldname == '.') {
 			if (found_ext) {
@@ -1710,8 +1708,6 @@ cd9660_level2_convert_filename(const cha
 			if (diskStructure.archimedes_enabled &&
 			    *oldname == ',' && strlen(oldname) == 4)
 				break;
-			if ((namelen + extlen) == 30)
-				break;
 
 			 if (islower((unsigned char)*oldname))
 				*newname++ = toupper((unsigned char)*oldname);