fix buffer overflow in the get_next_text() function (CVE-2006-5864)

from evince CVS
2006-12-30 12:41:39 +00:00 · 2006-12-30 12:41:39 +00:00 · f67ceb2007
commit f67ceb2007
parent 83ba29a04d
2 changed files with 25 additions and 1 deletions
--- a/graphics/evince/Makefile
+++ b/graphics/evince/Makefile
@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.4 2006/12/16 12:22:33 espie Exp $
+# $OpenBSD: Makefile,v 1.5 2006/12/30 12:41:39 steven Exp $

 COMMENT=	"document viewer for multiple document formats"

 DISTNAME=	evince-0.5.2
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	graphics print

 HOMEPAGE=	http://www.gnome.org/projects/evince/
--- a/graphics/evince/patches/patch-ps_ps_c
+++ b/graphics/evince/patches/patch-ps_ps_c
@ -0,0 +1,23 @@
+$OpenBSD: patch-ps_ps_c,v 1.1 2006/12/30 12:41:39 steven Exp $
+--- ps/ps.c.orig	Sat Dec 30 13:48:55 2006
+++ ps/ps.c	Sat Dec 30 13:54:21 2006
+@@ -1231,7 +1231,8 @@ get_next_text(line, next_char)
+     int level = 0;
+     quoted = 1;
+     line++;
+-    while(*line && !(*line == ')' && level == 0)) {
+    while(*line && !(*line == ')' && level == 0)
+	 && (cp - text) < PSLINELENGTH - 1) {
+       if(*line == '\\') {
+         if(*(line + 1) == 'n') {
+           *cp++ = '\n';
+@@ -1302,7 +1303,8 @@ get_next_text(line, next_char)
+     }
+   }
+   else {
+-    while(*line && !(*line == ' ' || *line == '\t' || *line == '\n'))
+    while(*line && !(*line == ' ' || *line == '\t' || *line == '\n')
+	 && (cp - text) < PSLINELENGTH - 1)
+       *cp++ = *line++;
+   }
+   *cp = '\0';