From 30163b4732c11c57ac0cdee33a9ea42c852b686d Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 18 May 2011 20:03:48 +0200
Subject: [PATCH] patch: CVE-2010-4543,2011-1782
Squashed commit of the following:
commit 384af8ac74f37d7d07ad25f51552cec28fa2b178
Author: Nils Philippsen <nils@redhat.com>
Date: Fri May 13 17:08:02 2011 +0200
psp: fix overflow protection (CVE-2011-1782)
amends commit 48ec15890e1751dede061f6d1f469b6508c13439, related to
CVE-2010-4543
(cherry picked from commit 831e93b10d76881f019900cb7eba59c80ebbaa3a)
Conflicts:
plug-ins/common/file-psp.c
commit e71c6bd776d4a5c9715501d60d0cdbed3e7ddd61
Author: Simon Budig <simon@budig.de>
Date: Mon Feb 14 21:46:31 2011 +0100
psp: fix for bogus input data. Fixes bug #639203
(cherry picked from commit 48ec15890e1751dede061f6d1f469b6508c13439)
Conflicts:
plug-ins/common/file-psp.c
---
plug-ins/common/psp.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/plug-ins/common/psp.c b/plug-ins/common/psp.c
index 3b9602a..e30fd37 100644
--- a/plug-ins/common/psp.c
+++ b/plug-ins/common/psp.c
@@ -926,6 +926,10 @@ read_channel_data (FILE *f,
}
else
fread (buf, runcount, 1, f);
+
+ /* prevent buffer overflow for bogus data */
+ runcount = MIN (runcount, (endq - q) / bytespp);
+
if (bytespp == 1)
{
memmove (q, buf, runcount);
--
1.7.5.1
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
95931d60fe986cb88dac43d05c397ef3
>
files
>
6
