From 21375413faf3918f9697aab137d535311216338c Mon Sep 17 00:00:00 2001
From: Michael Jennings <mej@kainx.org>
Date: Sun, 15 May 2011 21:24:19 +0000
Subject: Tue Mar 15 23:08:26 2011                        Michael Jennings
 (mej)

Fix for CVE-2011-0768, an off-by-one error in handling large pixmap
filenames which resulted in an overflow of a single NUL character if
the filename exceeded PATH_MAX bytes.  This bug is NOT exploitable.
Again, thanks to Jonathan Brossard and the team at Toucan System for
responsibly disclosing this vulnerability and to CERT for assisting
with coordination and disclosure.
----------------------------------------------------------------------


SVN revision: 59414
---
 ChangeLog    | 11 ++++++++++-
 src/pixmap.c |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0f39088..7951161 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5653,7 +5653,7 @@ claims to be a string, which is probably more correct.  This should
 also eliminate server round-trips when clients ask for UTF-8, get a
 string, then ask for a string (Opera).
 ----------------------------------------------------------------------
-Tue Mar 15 23:03:57 2011                                           mej
+Tue Mar 15 23:03:57 2011                        Michael Jennings (mej)
 
 Fix for CVE-2011-0409 (CERT VU#285156), a use-after-free error in the
 XIM code.  This only affects versions where XIM support is compiled in
@@ -5663,3 +5663,12 @@ the team at Toucan System for responsibly disclosing this
 vulnerability and to CERT for assisting with coordination and
 disclosure.
 ----------------------------------------------------------------------
+Tue Mar 15 23:08:26 2011                        Michael Jennings (mej)
+
+Fix for CVE-2011-0768, an off-by-one error in handling large pixmap
+filenames which resulted in an overflow of a single NUL character if
+the filename exceeded PATH_MAX bytes.  This bug is NOT exploitable.
+Again, thanks to Jonathan Brossard and the team at Toucan System for
+responsibly disclosing this vulnerability and to CERT for assisting
+with coordination and disclosure.
+----------------------------------------------------------------------
diff --git a/src/pixmap.c b/src/pixmap.c
index a9e45ad..b544ad0 100644
--- a/src/pixmap.c
+++ b/src/pixmap.c
@@ -1327,7 +1327,7 @@ search_path(const char *pathlist, const char *file)
     D_OPTIONS(("search_path(\"%s\", \"%s\") called from \"%s\".\n", pathlist, file, name));
     if (len < PATH_MAX - 1) {
         strcat(name, "/");
-        strncat(name, file, PATH_MAX - len - 1);
+        strncat(name, file, PATH_MAX - len - 2);
     }
     D_OPTIONS(("Checking for file \"%s\"\n", name));
     if (!access(name, R_OK)) {
-- 
cgit v1.2.1