Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read(): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165 http://seclists.org/oss-sec/2016/q3/288 https://bugzilla.redhat.com/show_bug.cgi?id=1367357 https://security-tracker.debian.org/tracker/CVE-2016-10165 Patch copied from upstream source repository: https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 From: Marti Date: Mon, 15 Aug 2016 23:31:39 +0200 Subject: [PATCH] Added an extra check to MLU bounds Thanks to Ibrahim el-sayed for spotting the bug --- src/cmstypes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cmstypes.c b/src/cmstypes.c index cb61860..c7328b9 100644 --- a/src/cmstypes.c +++ b/src/cmstypes.c @@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU // Check for overflow if (Offset < (SizeOfHeader + 8)) goto Error; + if ((Offset + Len) > SizeOfTag + 8) goto Error; // True begin of the string BeginOfThisString = Offset - SizeOfHeader - 8; -- 2.11.0 ref='/guix/log/gnu/tests/security-token.scm'>logtreecommitdiff
path: root/gnu/tests/security-token.scm
AgeCommit message (Expand)Author
2023-05-06tests: Add missing module imports for marionette-evaluated code....Ludovic Courtès
2021-09-26tests: Reduce boilerplate for users of 'system-test-runner'....Ludovic Courtès
2021-09-25tests: Adjust to SRFI-64 as found in Guile 3.0.7....Ludovic Courtès