Tue Mar 15 23:08:26 2011 Michael Jennings (mej)

Fix for CVE-2011-0768, an off-by-one error in handling large pixmap filenames which resulted in an overflow of a single NUL character if the filename exceeded PATH_MAX bytes. This bug is NOT exploitable. Again, thanks to Jonathan Brossard and the team at Toucan System for responsibly disclosing this vulnerability and to CERT for assisting with coordination and disclosure. ---------------------------------------------------------------------- SVN revision: 59414
author: Michael Jennings <mej@kainx.org> 2011-05-15 21:24:19 +0000
committer: Michael Jennings <mej@kainx.org> 2011-05-15 21:24:19 +0000
commit: 21375413faf3918f9697aab137d535311216338c (patch)
tree: 1f44395abe7ec3e9265e8215a8d3380f25667024 /src
parent: e096c4df0f63fbef9833a8ede248d30ea36650e8 (diff)
download: eterm-21375413faf3918f9697aab137d535311216338c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/pixmap.c b/src/pixmap.c
index a9e45ad..b544ad0 100644
--- a/src/pixmap.c
+++ b/src/pixmap.c
@@ -1327,7 +1327,7 @@ search_path(const char *pathlist, const char *file)
     D_OPTIONS(("search_path(\"%s\", \"%s\") called from \"%s\".\n", pathlist, file, name));
     if (len < PATH_MAX - 1) {
         strcat(name, "/");
-        strncat(name, file, PATH_MAX - len - 1);
+        strncat(name, file, PATH_MAX - len - 2);
     }
     D_OPTIONS(("Checking for file \"%s\"\n", name));
     if (!access(name, R_OK)) {
author	Michael Jennings <mej@kainx.org>	2011-05-15 21:24:19 +0000
committer	Michael Jennings <mej@kainx.org>	2011-05-15 21:24:19 +0000
commit	21375413faf3918f9697aab137d535311216338c (patch)
tree	1f44395abe7ec3e9265e8215a8d3380f25667024 /src
parent	e096c4df0f63fbef9833a8ede248d30ea36650e8 (diff)
download	eterm-21375413faf3918f9697aab137d535311216338c.tar.gz