CVE-2010-2642, CVE-2011-0433 and CVE-2011-5244 CVE-2010-2642: ============== Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=643882 Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5 CVE-2011-0433: ============== Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=640923 Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=439c5070022eab6cef7266aab47f978058012c72 CVE-2011-5244: ============== Upstream-Bug: https://bugzilla.gnome.org/show_bug.cgi?id=643882 Upstream-Fix: https://git.gnome.org/browse/evince/commit/?id=efadec4ffcdde3373f6f4ca0eaac98dc963c4fd5 Origin: https://bugs.debian.org/652996 diff --git a/lib/t1lib/parseAFM.c b/lib/t1lib/parseAFM.c index 6a31d7f..ba64541 100644 --- a/lib/t1lib/parseAFM.c +++ b/lib/t1lib/parseAFM.c @@ -199,7 +199,9 @@ static char *token(stream) idx = 0; while (ch != EOF && ch != ' ' && ch != CR && ch != LF && - ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){ + ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';' + && idx < (MAX_NAME -1)) + { ident[idx++] = ch; ch = fgetc(stream); } /* while */ @@ -235,7 +237,7 @@ static char *linetoken(stream) while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); idx = 0; - while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z) + while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z && idx < (MAX_NAME - 1)) { ident[idx++] = ch; ch = fgetc(stream);