Bug#414832: ubuntu fixes

Fri, 16 Mar 2007 10:33:43 -0800 

Tags: patch

Attached is the patch used in Ubuntu's ktorrent 2.0.3 version.

-- 
Kees Cook                                            @outflux.net

diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp	2006-10-09 11:04:10.000000000 -0500
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp	2007-03-11 11:33:38.000000000 -0500
@@ -59,12 +59,13 @@
 
 	void ChunkCounter::inc(Uint32 idx)
 	{
+		if (idx < cnt.size())
 		cnt[idx]++;
 	}
 		
 	void ChunkCounter::dec(Uint32 idx)
 	{
-		if (cnt[idx] > 0)
+		if (idx < cnt.size() && cnt[idx] > 0)
 			cnt[idx]--;
 	}
 		
diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/peer.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/peer.cpp
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/peer.cpp	2006-10-09 11:04:10.000000000 -0500
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/peer.cpp	2007-03-11 11:35:27.000000000 -0500
@@ -182,11 +182,21 @@
 				{
 					Out() << "len err HAVE" << endl;
 					kill();
-					return;
 				}
-				
-				haveChunk(this,ReadUint32(tmp_buf,1));
-				pieces.set(ReadUint32(tmp_buf,1),true);
+				else	
+				{
+					Uint32 ch = ReadUint32(tmp_buf,1);
+					if (ch < pieces.getNumBits())
+					{
+						haveChunk(this,ch);
+						pieces.set(ch,true);
+					}
+					else
+					{
+						Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl;
+						kill();
+					}
+				}
 				break;
 			case BITFIELD:
 				if (len != 1 + pieces.getNumBytes())
diff -Nru ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/torrent.cpp ktorrent-2.0.3+dfsg1/libktorrent/torrent/torrent.cpp
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/torrent.cpp	2006-10-09 11:04:10.000000000 -0500
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/torrent.cpp	2007-03-11 11:37:36.000000000 -0500
@@ -141,9 +141,13 @@
 				if (!v || v->data().getType() != Value::STRING)
 					throw Error(i18n("Corrupted torrent!"));
 	
-				path += v->data().toString(encoding);
-				if (j + 1 < ln->getNumChildren())
-					path += bt::DirSeparator();
+				QString sd = v->data().toString(encoding);
+				if (sd != "..")
+				{
+					path += sd;
+					if (j + 1 < ln->getNumChildren())
+						path += bt::DirSeparator();
+				}
 			}
 
 			// we do not want empty dirs

Reply via email to