diff options
author | Michael Jennings <mej@kainx.org> | 2011-05-15 21:24:19 +0000 |
---|---|---|
committer | Michael Jennings <mej@kainx.org> | 2011-05-15 21:24:19 +0000 |
commit | 21375413faf3918f9697aab137d535311216338c (patch) | |
tree | 1f44395abe7ec3e9265e8215a8d3380f25667024 /src | |
parent | e096c4df0f63fbef9833a8ede248d30ea36650e8 (diff) | |
download | eterm-21375413faf3918f9697aab137d535311216338c.tar.gz |
Tue Mar 15 23:08:26 2011 Michael Jennings (mej)
Fix for CVE-2011-0768, an off-by-one error in handling large pixmap
filenames which resulted in an overflow of a single NUL character if
the filename exceeded PATH_MAX bytes. This bug is NOT exploitable.
Again, thanks to Jonathan Brossard and the team at Toucan System for
responsibly disclosing this vulnerability and to CERT for assisting
with coordination and disclosure.
----------------------------------------------------------------------
SVN revision: 59414
Diffstat (limited to 'src')
-rw-r--r-- | src/pixmap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/pixmap.c b/src/pixmap.c index a9e45ad..b544ad0 100644 --- a/src/pixmap.c +++ b/src/pixmap.c @@ -1327,7 +1327,7 @@ search_path(const char *pathlist, const char *file) D_OPTIONS(("search_path(\"%s\", \"%s\") called from \"%s\".\n", pathlist, file, name)); if (len < PATH_MAX - 1) { strcat(name, "/"); - strncat(name, file, PATH_MAX - len - 1); + strncat(name, file, PATH_MAX - len - 2); } D_OPTIONS(("Checking for file \"%s\"\n", name)); if (!access(name, R_OK)) { |