ALT Linux Bugzilla
– Attachment 4636 Details for
Bug 20780
HTMLDOC "set_page_size()" Buffer Overflow Vulnerability
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
[patch]
htmldoc-1.8.27-possible-bof.patch
htmldoc-1.8.27-possible-bof.patch (text/plain), 1.10 KB, created by
Michael Shigorin
on 2010-10-30 15:09:31 MSD
(
hide
)
Description:
htmldoc-1.8.27-possible-bof.patch
Filename:
MIME Type:
Creator:
Michael Shigorin
Created:
2010-10-30 15:09:31 MSD
Size:
1.10 KB
patch
obsolete
>diff -Naur htmldoc-1.8.27-orig/htmldoc/ps-pdf.cxx htmldoc-1.8.27/htmldoc/ps-pdf.cxx >--- htmldoc-1.8.27-orig/htmldoc/ps-pdf.cxx 2006-08-01 16:58:50.000000000 +0000 >+++ htmldoc-1.8.27/htmldoc/ps-pdf.cxx 2010-10-30 10:54:03.780040399 +0000 >@@ -202,7 +202,7 @@ > float size; /* Size of text in points */ > float spacing; /* Inter-character spacing */ > float rgb[3]; /* Color of text */ >- uchar buffer[1]; /* String buffer */ >+ uchar buffer[]; /* String buffer */ > } text; > image_t *image; /* Image pointer */ > float box[3]; /* Box color */ >@@ -1060,7 +1060,7 @@ > bytes += sizeof(render_t); > > if (r->type == RENDER_TEXT) >- bytes += strlen((char *)r->data.text.buffer); >+ bytes += strlen((char *)r->data.text.buffer)+1; > } > } > >@@ -8590,7 +8590,7 @@ > if ((type != RENDER_TEXT && type != RENDER_LINK) || data == NULL) > r = (render_t *)calloc(sizeof(render_t), 1); > else >- r = (render_t *)calloc(sizeof(render_t) + strlen((char *)data), 1); >+ r = (render_t *)calloc(sizeof(render_t) + strlen((char *)data) + 1, 1); > > if (r == NULL) > {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4636">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 20780
: 4636
