aboutsummaryrefslogtreecommitdiff
path: root/system/arj/patches/security-afl.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/arj/patches/security-afl.patch')
-rw-r--r--system/arj/patches/security-afl.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/system/arj/patches/security-afl.patch b/system/arj/patches/security-afl.patch
new file mode 100644
index 0000000000000..ed2bf57717863
--- /dev/null
+++ b/system/arj/patches/security-afl.patch
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow causing an invalid pointer free().
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774015
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ decode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/decode.c
++++ b/decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+ if(i==i_special)
+ {
+ c=getbits(2);
+- while(--c>=0)
++ while(--c>=0&&i<nn)
+ pt_len[i++]=0;
+ }
+ }
+@@ -314,10 +314,10 @@ void read_c_len()
+ c=getbits(CBIT);
+ c+=20;
+ }
+- while(--c>=0)
++ while(--c>=0&&i<NC)
+ c_len[i++]=0;
+ }
+- else
++ else if (i<NC)
+ c_len[i++]=(unsigned char)(c-2);
+ }
+ while(i<NC)