summaryrefslogtreecommitdiff
path: root/pcr/htmldoc/cve-2009-3050.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pcr/htmldoc/cve-2009-3050.patch')
-rw-r--r--pcr/htmldoc/cve-2009-3050.patch41
1 files changed, 41 insertions, 0 deletions
diff --git a/pcr/htmldoc/cve-2009-3050.patch b/pcr/htmldoc/cve-2009-3050.patch
new file mode 100644
index 000000000..8d0fd173a
--- /dev/null
+++ b/pcr/htmldoc/cve-2009-3050.patch
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2009-3050
+ This patch fixes a buffer overflow when setting custom page output size.
+Author: Giuseppe Iuculano <iuculano@debian.org>
+Bug-Debian: http://bugs.debian.org/537637
+Bug-Gentoo: http://bugs.gentoo.org/show_bug.cgi?id=278186
+Bug: http://www.htmldoc.org/str.php?L214+P0+S0+C0+I0+E0+M1000+Qversion:1.8
+Last-Update: 2011-02-20
+
+--- htmldoc-1.8.27.orig/htmldoc/util.cxx
++++ htmldoc-1.8.27/htmldoc/util.cxx
+@@ -484,7 +484,7 @@ set_page_size(const char *size) /* I - P
+ PageWidth = 595;
+ PageLength = 792;
+ }
+- else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
++ else if (sscanf(size, "%fx%f%254s", &width, &length, units) >= 2)
+ {
+ /*
+ * Custom size...
+--- htmldoc-1.8.27.orig/htmldoc/ps-pdf.cxx
++++ htmldoc-1.8.27/htmldoc/ps-pdf.cxx
+@@ -12512,7 +12512,7 @@ write_type1(FILE *out, /* I - Fil
+ * assigned charset...
+ */
+
+- if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
++ if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%63s", &width, glyph) != 2)
+ continue;
+
+ for (ch = 0; ch < 256; ch ++)
+--- htmldoc-1.8.27.orig/htmldoc/htmllib.cxx
++++ htmldoc-1.8.27/htmldoc/htmllib.cxx
+@@ -2139,7 +2139,7 @@ htmlLoadFontWidths(void)
+ * assigned charset...
+ */
+
+- if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
++ if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%63s", &width, glyph) != 2)
+ continue;
+
+ for (ch = 0; ch < 256; ch ++)