1https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355 2 3CVE: CVE-2022-0530 4Upstream-Status: Inactive-Upstream [need a new release] 5 6diff --git a/fileio.c b/fileio.c 7index 6290824..77e4b5f 100644 8--- a/fileio.c 9+++ b/fileio.c 10@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option) /* return PK-type error code */ 11 /* convert UTF-8 to local character set */ 12 fn = utf8_to_local_string(G.unipath_filename, 13 G.unicode_escape_all); 14+ if (fn == NULL) 15+ return PK_ERR; 16+ 17 /* make sure filename is short enough */ 18 if (strlen(fn) >= FILNAMSIZ) { 19 fn[FILNAMSIZ - 1] = '\0'; 20diff --git a/process.c b/process.c 21index d2a846e..715bc0f 100644 22--- a/process.c 23+++ b/process.c 24@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all) 25 int escape_all; 26 { 27 zwchar *wide = utf8_to_wide_string(utf8_string); 28+ if (wide == NULL) 29+ return NULL; 30 char *loc = wide_to_local_string(wide, escape_all); 31 free(wide); 32 return loc; 33 34