1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Description: Fix for CVE-2009-3050
This patch fixes a buffer overflow when setting custom page output size.
Author: Giuseppe Iuculano <iuculano@debian.org>
Bug-Debian: http://bugs.debian.org/537637
Bug-Gentoo: http://bugs.gentoo.org/show_bug.cgi?id=278186
Bug: http://www.htmldoc.org/str.php?L214+P0+S0+C0+I0+E0+M1000+Qversion:1.8
Last-Update: 2011-02-20
--- htmldoc-1.8.27.orig/htmldoc/util.cxx
+++ htmldoc-1.8.27/htmldoc/util.cxx
@@ -484,7 +484,7 @@ set_page_size(const char *size) /* I - P
PageWidth = 595;
PageLength = 792;
}
- else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
+ else if (sscanf(size, "%fx%f%254s", &width, &length, units) >= 2)
{
/*
* Custom size...
--- htmldoc-1.8.27.orig/htmldoc/ps-pdf.cxx
+++ htmldoc-1.8.27/htmldoc/ps-pdf.cxx
@@ -12512,7 +12512,7 @@ write_type1(FILE *out, /* I - Fil
* assigned charset...
*/
- if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
+ if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%63s", &width, glyph) != 2)
continue;
for (ch = 0; ch < 256; ch ++)
--- htmldoc-1.8.27.orig/htmldoc/htmllib.cxx
+++ htmldoc-1.8.27/htmldoc/htmllib.cxx
@@ -2139,7 +2139,7 @@ htmlLoadFontWidths(void)
* assigned charset...
*/
- if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
+ if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%63s", &width, glyph) != 2)
continue;
for (ch = 0; ch < 256; ch ++)
|
