Fix buffer overflow and possible ISO image corruption in wrong

handling of "." character case in makefs ISO level 1 and 2 filename
conversion.

Filed as NetBSD PR #45285
http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=45285

Reviewed by:	Christos Zoulas <christos@netbsd.org>
Approved by:	re (kib)
MFC after:	3 days

1 files changed, 3 insertions, 7 deletions

diff --git a/usr.sbin/makefs/cd9660.c b/usr.sbin/makefs/cd9660.c
index 44af984..b9e800d 100644
--- a/usr.sbin/makefs/cd9660.c
+++ b/usr.sbin/makefs/cd9660.c
@@ -1627,7 +1627,7 @@ cd9660_level1_convert_filename(const char *oldname, char *newname, int is_file)
 	int extlen = 0;
 	int found_ext = 0;
 
-	while (*oldname != '\0') {
+	while (*oldname != '\0' && extlen < 3) {
 		/* Handle period first, as it is special */
 		if (*oldname == '.') {
 			if (found_ext) {
@@ -1644,10 +1644,8 @@ cd9660_level1_convert_filename(const char *oldname, char *newname, int is_file)
 			    *oldname == ',' && strlen(oldname) == 4)
 				break;
 			/* Enforce 12.3 / 8 */
-			if (((namelen == 8) && !found_ext) ||
-			    (found_ext && extlen == 3)) {
+			if (namelen == 8 && !found_ext)
 				break;
-			}
 
 			if (islower((unsigned char)*oldname))
 				*newname++ = toupper((unsigned char)*oldname);
@@ -1690,7 +1688,7 @@ cd9660_level2_convert_filename(const char *oldname, char *newname, int is_file)
 	int extlen = 0;
 	int found_ext = 0;
 
-	while (*oldname != '\0') {
+	while (*oldname != '\0' && namelen + extlen < 30) {
 		/* Handle period first, as it is special */
 		if (*oldname == '.') {
 			if (found_ext) {
@@ -1710,8 +1708,6 @@ cd9660_level2_convert_filename(const char *oldname, char *newname, int is_file)
 			if (diskStructure.archimedes_enabled &&
 			    *oldname == ',' && strlen(oldname) == 4)
 				break;
-			if ((namelen + extlen) == 30)
-				break;
 
 			 if (islower((unsigned char)*oldname))
 				*newname++ = toupper((unsigned char)*oldname);