- Security Fix

possible off by one bounds check
Submitted by:	Munehiro Matsuda
Approved by:	portmgr (marcus)

2 files changed, 3 insertions, 3 deletions

diff --git a/archivers/lha/files/patch-command_buffer b/archivers/lha/files/patch-command_buffer
index b7ae9a6edd83..5416429c39a3 100644
--- a/archivers/lha/files/patch-command_buffer
+++ b/archivers/lha/files/patch-command_buffer
@@ -133,7 +133,7 @@ diff -urNp src/lhext.c.orig lha-114i/src/lhext.c
 +				name[255] = 0;
  #else
 -				sprintf(buf, "%s -> %s", bb1, bb2);
-+				sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2);
++				snprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2);
  				warning("Can't make Symbolic Link", buf);
  				return;
  #endif
diff --git a/archivers/lha/files/patch-dir_length_bounds_check b/archivers/lha/files/patch-dir_length_bounds_check
index 7a0ae1e086e2..c9eea39754ed 100644
--- a/archivers/lha/files/patch-dir_length_bounds_check
+++ b/archivers/lha/files/patch-dir_length_bounds_check
@@ -4,14 +4,14 @@
  	}
  
  	if (dir_length) {
-+		if ((dir_length + name_length) > sizeof(dirname)) {
++		if ((dir_length + name_length) >= sizeof(dirname)) {
 +			fprintf(stderr, "Insufficient buffer size\n");
 +			exit(112);
 +		}
  		strcat(dirname, hdr->name);
 -		strcpy(hdr->name, dirname);
 +
-+		if ((dir_length + name_length) > sizeof(hdr->name)) {
++		if ((dir_length + name_length) >= sizeof(hdr->name)) {
 +			fprintf(stderr, "Insufficient buffer size\n");
 +			exit(112);
 +		}