blob: 9d3168c0bfbe5e9c06ebe1143c0a0d3e5f440bc7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
CVE-2010-2642, CVE-2011-0433 and CVE-2011-5244
CVE-2010-2642:
==============
Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=643882
Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5
CVE-2011-0433:
==============
Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=640923
Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=439c5070022eab6cef7266aab47f978058012c72
CVE-2011-5244:
==============
Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=643882
Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5
Origin: https://bugs.debian.org/652996
diff --git a/lib/t1lib/parseAFM.c b/lib/t1lib/parseAFM.c
index 6a31d7f..ba64541 100644
--- a/lib/t1lib/parseAFM.c
+++ b/lib/t1lib/parseAFM.c
@@ -199,7 +199,9 @@ static char *token(stream)
idx = 0;
while (ch != EOF && ch != ' ' && ch != CR && ch != LF &&
- ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
+ ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'
+ && idx < (MAX_NAME -1))
+ {
ident[idx++] = ch;
ch = fgetc(stream);
} /* while */
@@ -235,7 +237,7 @@ static char *linetoken(stream)
while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
idx = 0;
- while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z)
+ while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z && idx < (MAX_NAME - 1))
{
ident[idx++] = ch;
ch = fgetc(stream);
|
GitWeb
