From f962a7f87eff2e1c139ab11b9534b59a0edef217 Mon Sep 17 00:00:00 2001
From: Marko Lindqvist <cazfi74@gmail.com>
Date: Fri, 5 Aug 2022 00:22:56 +0300
Subject: [PATCH] fcmp: Fix vulnerability with crafted modpack URLs

See osdn #45299

Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
---
 tools/download.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/download.c b/tools/download.c
index d555bb5e0d..2fbf561f88 100644
--- a/tools/download.c
+++ b/tools/download.c
@@ -116,6 +116,10 @@ static const char *download_modpack_recursive(const char *URL,
     /* Nothing */
   }
 
+  if (start_idx <= 0) {
+    return _("This does not look like modpack URL");
+  }
+
   log_normal(_("Installing modpack %s from %s"), URL + start_idx, URL);
 
   if (fcmp->inst_prefix == NULL) {
@@ -417,6 +421,10 @@ const char *download_modpack_list(const struct fcmp_params *fcmp,
     /* Nothing */
   }
 
+  if (start_idx <= 0) {
+    return _("Invalid modpack list URL");
+  }
+
   list_capstr = secfile_lookup_str(list_file, "info.options");
   if (list_capstr == NULL) {
     secfile_destroy(list_file);
-- 
2.35.1