$NetBSD: patch-ad,v 1.1 2005/01/21 14:42:10 wiz Exp $

--- unarj.c.orig	2002-06-05 12:28:06.000000000 +0200
+++ unarj.c
@@ -213,7 +213,7 @@ static uchar  arj_flags;
 static short  method;
 static uint   file_mode;
 static ulong  time_stamp;
-static short  entry_pos;
+static ushort entry_pos;
 static ushort host_data;
 static uchar  *get_ptr;
 static UCRC   file_crc;
@@ -231,6 +231,8 @@ static UCRC   crctable[UCHAR_MAX + 1];
 
 /* Functions */
 
+void copy_path_relative(char *dest, char *src, size_t len);
+
 static void
 make_crctable()
 {
@@ -604,6 +606,7 @@ char *name;
         error(M_BADHEADR, "");
 
     crc = CRC_MASK;
+    memset(header, 0, sizeof(header));
     fread_crc(header, (int) headersize, fd);
     header_crc = fget_crc(fd);
     if ((crc ^ CRC_MASK) != header_crc)
@@ -628,9 +631,13 @@ char *name;
 
     if (origsize < 0 || compsize < 0)
         error(M_HEADRCRC, "");
+    if(first_hdr_size > headersize-2) /* need two \0 for file and comment */
+        error(M_BADHEADR, "");
 
     hdr_filename = (char *)&header[first_hdr_size];
     strncopy(filename, hdr_filename, sizeof(filename));
+    if(entry_pos >= strlen(filename))
+        error(M_BADHEADR, "");
     if (host_os != OS)
         strparity((uchar *)filename);
     if ((arj_flags & PATHSYM_FLAG) != 0)
@@ -727,11 +734,11 @@ extract()
 
     no_output = 0;
     if (command == 'E')
-        strcpy(name, &filename[entry_pos]);
+        copy_path_relative(name, &filename[entry_pos], sizeof(name));
     else
     {
         strcpy(name, DEFAULT_DIR);
-        strcat(name, filename);
+        copy_path_relative(name+strlen(name), filename, sizeof(name)-strlen(name));
     }
 
     if (host_os != OS)