Initial review shows several problems: * chm_http.c doesn't check return value of fgets() * chm_http.c and lzx.c doesn't check return values of malloc (possible null pointer dereference) * extract_chmLib.c uses stat() resulting in TOCTOU (time of check/time of use) vulnerability (specifically possibility of directory symlink attacks) * chm_lib.c has unsigned int assignment to signed int (line 1353) * chm_lib.c doesn't always check for cmpLen < 0, which causes read/pread to be called with negative length (logic error, probably not exploitable) * chm_lib.c doesn't check return values of read/pread
I could continue reviewing, but after spending the time with the code I did, I don't have a lot of confidence in it. -- main inclusion report for chmlib https://bugs.launchpad.net/bugs/236113 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
