diff options
Diffstat (limited to 'print/enscript-letter/files/patch-CVE-2008-3863-and-4306')
| -rw-r--r-- | print/enscript-letter/files/patch-CVE-2008-3863-and-4306 | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/print/enscript-letter/files/patch-CVE-2008-3863-and-4306 b/print/enscript-letter/files/patch-CVE-2008-3863-and-4306 new file mode 100644 index 000000000000..6568c6becb32 --- /dev/null +++ b/print/enscript-letter/files/patch-CVE-2008-3863-and-4306 @@ -0,0 +1,94 @@ +Patch for CVE-2008-3863 and CVE-2008-4306 + +Obtained from: http://cvs.fedoraproject.org/viewvc/devel/enscript/enscript-CVE-2008-3863%2BCVE-2008-4306.patch?revision=1.1 + +--- src/psgen.c ++++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100 +@@ -24,6 +24,7 @@ + * Boston, MA 02111-1307, USA. + */ + ++#include <limits.h> + #include "gsint.h" + + /* +@@ -124,7 +125,7 @@ struct gs_token_st + double xscale; + double yscale; + int llx, lly, urx, ury; /* Bounding box. */ +- char filename[512]; ++ char filename[PATH_MAX]; + char *skipbuf; + unsigned int skipbuf_len; + unsigned int skipbuf_pos; +@@ -135,11 +136,11 @@ struct gs_token_st + Color bgcolor; + struct + { +- char name[512]; ++ char name[PATH_MAX]; + FontPoint size; + InputEncoding encoding; + } font; +- char filename[512]; ++ char filename[PATH_MAX]; + } u; + }; + +@@ -248,7 +249,7 @@ static int do_print = 1; + static int user_fontp = 0; + + /* The user ^@font{}-defined font. */ +-static char user_font_name[256]; ++static char user_font_name[PATH_MAX]; + static FontPoint user_font_pt; + static InputEncoding user_font_encoding; + +@@ -978,7 +979,8 @@ large for page\n"), + FATAL ((stderr, + _("user font encoding can be only the system's default or `ps'"))); + +- strcpy (user_font_name, token.u.font.name); ++ memset (user_font_name, 0, sizeof(user_font_name)); ++ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1); + user_font_pt.w = token.u.font.size.w; + user_font_pt.h = token.u.font.size.h; + user_font_encoding = token.u.font.encoding; +@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To + buf[i] = ch; + if (i + 1 >= sizeof (buf)) + FATAL ((stderr, _("too long argument for %s escape:\n%.*s"), +- escapes[i].name, i, buf)); ++ escapes[e].name, i, buf)); + } + buf[i] = '\0'; + +@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To + switch (escapes[e].escape) + { + case ESC_FONT: +- strcpy (token->u.font.name, buf); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1); + + /* Check for the default font. */ + if (strcmp (token->u.font.name, "default") == 0) +@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To + FATAL ((stderr, _("malformed font spec for ^@font escape: %s"), + token->u.font.name)); + +- strcpy (token->u.font.name, cp); ++ memset (token->u.font.name, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1); + xfree (cp); + } + token->type = tFONT; +@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To + break; + + case ESC_SETFILENAME: +- strcpy (token->u.filename, buf); ++ memset (token->u.filename, 0, sizeof(token->u.font.name)); ++ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1); + token->type = tSETFILENAME; + break; |