20 lines
690 B
Plaintext
20 lines
690 B
Plaintext
$OpenBSD: patch-src_it_itread_c,v 1.1 2013/10/14 07:17:21 dcoppa Exp $
|
|
|
|
Fix heap-based buffer overflow in the it_read_envelope function
|
|
(CVE-2006-3668)
|
|
|
|
--- src/it/itread.c.orig Mon Aug 8 02:18:41 2005
|
|
+++ src/it/itread.c Fri Oct 11 16:37:22 2013
|
|
@@ -292,6 +292,11 @@ static int it_read_envelope(IT_ENVELOPE *envelope, DUM
|
|
|
|
envelope->flags = dumbfile_getc(f);
|
|
envelope->n_nodes = dumbfile_getc(f);
|
|
+ if(envelope->n_nodes > 25) {
|
|
+ TRACE("IT error: wrong number of envelope nodes (%d)\n", envelope->n_nodes);
|
|
+ envelope->n_nodes = 0;
|
|
+ return -1;
|
|
+ }
|
|
envelope->loop_start = dumbfile_getc(f);
|
|
envelope->loop_end = dumbfile_getc(f);
|
|
envelope->sus_loop_start = dumbfile_getc(f);
|