33 lines
1.4 KiB
Diff
33 lines
1.4 KiB
Diff
Related: https://bugzilla.redhat.com/show_bug.cgi?id=614643#c6
|
|
Gentoo-bug: http://bugs.gentoo.org/335892
|
|
--- loaders/load_it.c.orig 2010-07-22 16:02:16.000000000 +0200
|
|
+++ loaders/load_it.c 2010-07-22 16:07:48.000000000 +0200
|
|
@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
|
|
#define IT_LoadEnvelope(name,type) \
|
|
ih. name##flg =_mm_read_UBYTE(modreader); \
|
|
ih. name##pts =_mm_read_UBYTE(modreader); \
|
|
+ if (ih. name##pts > ITENVCNT) \
|
|
+ ih. name##pts = ITENVCNT; \
|
|
ih. name##beg =_mm_read_UBYTE(modreader); \
|
|
ih. name##end =_mm_read_UBYTE(modreader); \
|
|
ih. name##susbeg=_mm_read_UBYTE(modreader); \
|
|
@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
|
|
#define IT_LoadEnvelope(name,type) \
|
|
ih. name/**/flg =_mm_read_UBYTE(modreader); \
|
|
ih. name/**/pts =_mm_read_UBYTE(modreader); \
|
|
+ if (ih. name/**/pts > ITENVCNT) \
|
|
+ ih. name/**/pts = ITENVCNT; \
|
|
ih. name/**/beg =_mm_read_UBYTE(modreader); \
|
|
ih. name/**/end =_mm_read_UBYTE(modreader); \
|
|
ih. name/**/susbeg=_mm_read_UBYTE(modreader); \
|
|
@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
|
|
#endif
|
|
|
|
IT_ProcessEnvelope(vol);
|
|
- /* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
|
|
- if (ih.volpts>= ENVPOINTS)
|
|
- ih.volpts = ENVPOINTS-1;
|
|
-
|
|
for(u=0;u<ih.volpts;u++)
|
|
d->volenv[u].val=(ih.volnode[u]<<2);
|
|
|