thr3ads.net - Secure testing team - [Secure-testing-team] Bug#512122: [devil] fix for #511844 results in an off-by-one [Jan 2009]

If this information is useful, please help other people find it:
Share via:

Nico Golde

2009-Jan-17 14:10 UTC

[Secure-testing-team] Bug#512122: [devil] fix for #511844 results in an off-by-one

Package: devil
Version: 1.7.5-3
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

Hi,
you fix #511844 by:
        while (a != ''\n'') {
+               if (count >= 80) {  // Line shouldn''t be this long
at all.
+                       ilSetError(IL_INVALID_FILE_HEADER);
+                       return IL_FALSE;
+               }
                buff[count] = a;

sizeof(buff) is 80. After each loop count is incremented and
a 0 byte is written to buff[count] after the while loop.
In case the header is 79 bytes long this results in an off-by-one and
a 0 byte written to buff[80]. Please fix this by check for count
being>= sizeof(buff) -1.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090117/533124ac/attachment.pgp

Secure testing team - Jan 2009 - Bug#512122: [devil] fix for #511844 results in an off-by-one

[Secure-testing-team] Bug#512122: [devil] fix for #511844 results in an off-by-one