From c5052e06693683f9e6fabb1319e057639a57b0bd Mon Sep 17 00:00:00 2001
From: Marko Lindqvist <cazfi74@gmail.com>
Date: Fri, 5 Aug 2022 01:15:50 +0300
Subject: [PATCH] fcmp: Fix vulnerability with crafted modpack URLs

See osdn #45299

Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
---
 tools/fcmp/download.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/fcmp/download.c b/tools/fcmp/download.c
index efc72a46a1..4c9d0c9ae7 100644
--- a/tools/fcmp/download.c
+++ b/tools/fcmp/download.c
@@ -119,6 +119,10 @@ static const char *download_modpack_recursive(const char *URL,
     /* Nothing */
   }
 
+  if (start_idx <= 0) {
+    return _("This does not look like modpack URL");
+  }
+
   log_normal(_("Installing modpack %s from %s"), URL + start_idx, URL);
 
   if (fcmp->inst_prefix == NULL) {
@@ -426,6 +430,10 @@ const char *download_modpack_list(const struct fcmp_params *fcmp,
     /* Nothing */
   }
 
+  if (start_idx <= 0) {
+    return _("Invalid modpack list URL");
+  }
+
   list_capstr = secfile_lookup_str(list_file, "info.options");
   if (list_capstr == NULL) {
     secfile_destroy(list_file);
-- 
2.35.1