[Secure-testing-team] Bug#512122: [devil] fix for #511844 results in an off-by-one
Nico Golde
nion at debian.org
Sat Jan 17 14:10:36 UTC 2009
Package: devil
Version: 1.7.5-3
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
Hi,
you fix #511844 by:
while (a != '\n') {
+ if (count >= 80) { // Line shouldn't be this long at all.
+ ilSetError(IL_INVALID_FILE_HEADER);
+ return IL_FALSE;
+ }
buff[count] = a;
sizeof(buff) is 80. After each loop count is incremented and
a 0 byte is written to buff[count] after the while loop.
In case the header is 79 bytes long this results in an off-by-one and
a 0 byte written to buff[80]. Please fix this by check for count being
>= sizeof(buff) -1.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090117/533124ac/attachment.pgp
More information about the Secure-testing-team
mailing list