From 51604f30957277f0f1cdecd4fcc2d8e1040a5859 Mon Sep 17 00:00:00 2001
From: "B. Watson" <yalhcru@gmail.com>
Date: Tue, 7 Apr 2015 19:58:35 +0700
Subject: system/arj: Security fixes.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 system/arj/patches/security-afl.patch | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 system/arj/patches/security-afl.patch

(limited to 'system/arj/patches/security-afl.patch')

diff --git a/system/arj/patches/security-afl.patch b/system/arj/patches/security-afl.patch
new file mode 100644
index 0000000000..ed2bf57717
--- /dev/null
+++ b/system/arj/patches/security-afl.patch
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow causing an invalid pointer free().
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774015
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ decode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/decode.c
++++ b/decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+    if(i==i_special)
+    {
+     c=getbits(2);
+-    while(--c>=0)
++    while(--c>=0&&i<nn)
+      pt_len[i++]=0;
+    }
+   }
+@@ -314,10 +314,10 @@ void read_c_len()
+      c=getbits(CBIT);
+      c+=20;
+     }
+-    while(--c>=0)
++    while(--c>=0&&i<NC)
+      c_len[i++]=0;
+    }
+-   else
++   else if (i<NC)
+     c_len[i++]=(unsigned char)(c-2);
+   }
+   while(i<NC)
-- 
cgit v1.2.3