Package: devil Version: 1.7.5-3 Severity: grave Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
Hi,
you fix #511844 by:
while (a != '\n') {
+ if (count >= 80) { // Line shouldn't be this long at all.
+ ilSetError(IL_INVALID_FILE_HEADER);
+ return IL_FALSE;
+ }
buff[count] = a;
sizeof(buff) is 80. After each loop count is incremented and
a 0 byte is written to buff[count] after the while loop.
In case the header is 79 bytes long this results in an off-by-one and
a 0 byte written to buff[80]. Please fix this by check for count being
>= sizeof(buff) -1.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpG7E19hoQyn.pgp
Description: PGP signature
