From 30163b4732c11c57ac0cdee33a9ea42c852b686d Mon Sep 17 00:00:00 2001 From: Nils Philippsen <nils@redhat.com> Date: Wed, 18 May 2011 20:03:48 +0200 Subject: [PATCH] patch: CVE-2010-4543,2011-1782 Squashed commit of the following: commit 384af8ac74f37d7d07ad25f51552cec28fa2b178 Author: Nils Philippsen <nils@redhat.com> Date: Fri May 13 17:08:02 2011 +0200 psp: fix overflow protection (CVE-2011-1782) amends commit 48ec15890e1751dede061f6d1f469b6508c13439, related to CVE-2010-4543 (cherry picked from commit 831e93b10d76881f019900cb7eba59c80ebbaa3a) Conflicts: plug-ins/common/file-psp.c commit e71c6bd776d4a5c9715501d60d0cdbed3e7ddd61 Author: Simon Budig <simon@budig.de> Date: Mon Feb 14 21:46:31 2011 +0100 psp: fix for bogus input data. Fixes bug #639203 (cherry picked from commit 48ec15890e1751dede061f6d1f469b6508c13439) Conflicts: plug-ins/common/file-psp.c --- plug-ins/common/psp.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/plug-ins/common/psp.c b/plug-ins/common/psp.c index 3b9602a..e30fd37 100644 --- a/plug-ins/common/psp.c +++ b/plug-ins/common/psp.c @@ -926,6 +926,10 @@ read_channel_data (FILE *f, } else fread (buf, runcount, 1, f); + + /* prevent buffer overflow for bogus data */ + runcount = MIN (runcount, (endq - q) / bytespp); + if (bytespp == 1) { memmove (q, buf, runcount); -- 1.7.5.1