| 1234567891011121314151617181920 |
- $OpenBSD: patch-src_it_itread_c,v 1.1 2013/10/14 07:17:21 dcoppa Exp $
- Fix heap-based buffer overflow in the it_read_envelope function
- (CVE-2006-3668)
- --- src/it/itread.c.orig Mon Aug 8 02:18:41 2005
- +++ src/it/itread.c Fri Oct 11 16:37:22 2013
- @@ -292,6 +292,11 @@ static int it_read_envelope(IT_ENVELOPE *envelope, DUM
-
- envelope->flags = dumbfile_getc(f);
- envelope->n_nodes = dumbfile_getc(f);
- + if(envelope->n_nodes > 25) {
- + TRACE("IT error: wrong number of envelope nodes (%d)\n", envelope->n_nodes);
- + envelope->n_nodes = 0;
- + return -1;
- + }
- envelope->loop_start = dumbfile_getc(f);
- envelope->loop_end = dumbfile_getc(f);
- envelope->sus_loop_start = dumbfile_getc(f);
|
