[pkg-fgfs-crew] [simgear] 01/01: Correct an off-by-one bug in patch CVE-2012-2091.diff. Correct reference to closed bug in 2.10.0-2.

[Markus Wanner]

This is an automated email from the git hooks/post-receive script.

markus_wanner-guest pushed a commit to branch master
in repository simgear.

commit f8fa950c78a261b46567437cf8b96f76a7acda58
Author: Markus Wanner <markus at bluegap.ch>
Date:   Sun Sep 8 10:18:52 2013 +0200

    Correct an off-by-one bug in patch CVE-2012-2091.diff.
    Correct reference to closed bug in 2.10.0-2.
---
 debian/changelog                  |    8 +++++++-
 debian/patches/CVE-2012-2091.diff |   27 +++++++++++++++++----------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 1f4f155..8ae0386 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+simgear (2.10.0-3) UNRELEASED; urgency=low
+
+  * Correct an off-by-one bug in patch CVE-2012-2091.diff.
+
+ --
+
 simgear (2.10.0-2) unstable; urgency=low
 
   [ Scott Kitterman ]
@@ -6,7 +12,7 @@ simgear (2.10.0-2) unstable; urgency=low
 
   [ Markus Wanner ]
   * Fix for CVE-2012-2090: prevent %n being passed to format
-    strings. Together with the above fix, this closes: #669025.
+    strings. Together with the above fix, this closes: #669024.
   * Update copyright file. Now in DEP-5 style.
 
  -- Markus Wanner <markus at bluegap.ch>  Sat, 07 Sep 2013 21:18:10 +0200
diff --git a/debian/patches/CVE-2012-2091.diff b/debian/patches/CVE-2012-2091.diff
index 6bfb60f..11a24cd 100644
--- a/debian/patches/CVE-2012-2091.diff
+++ b/debian/patches/CVE-2012-2091.diff
@@ -1,28 +1,35 @@
 Subject: Fix for CVE-2012-2091: add checks against buffer overruns
- CVE-2012-2091 mentions various buffer overruns in simgear and flightgear.
+ CVE-2012-2091 mentions various buffer overruns in simgear and
  flightgear. This patch addresses issues in SGSocketUDP::read() and
  SGSocketUDP::readline() - for simgear only, obviously.
 From: Rebecca Palmer, Saikrishna Arcot
 Origin: https://bugs.launchpad.net/ubuntu/+source/flightgear/+bug/1077624/+attachment/3806309/+files/simgear_CVE2012_2091.patch
-Last-Update: 2013-09-06
+Last-Update: 2013-09-07
 
 --- a/simgear/io/sg_socket_udp.cxx
 +++ b/simgear/io/sg_socket_udp.cxx
-@@ -104,8 +104,12 @@
+@@ -103,9 +103,13 @@
+ 	return 0;
      }
  
-     int result;
-+    if (length < 0) {
-+        length = 0;
++    if (length <= 0) {
++        return 0;
 +    }
-+    int maxsize = length < SG_IO_MAX_MSG_SIZE ? length : SG_IO_MAX_MSG_SIZE;
+     int result;
++    int maxsize = (length - 1) < SG_IO_MAX_MSG_SIZE ? (length - 1) : SG_IO_MAX_MSG_SIZE;
  
 -    if ( (result = sock.recv(buf, SG_IO_MAX_MSG_SIZE, 0)) >= 0 ) {
 +    if ( (result = sock.recv(buf, maxsize, 0)) >= 0 ) {
  	buf[result] = '\0';
  	// printf("msg received = %s\n", buf);
      }
-@@ -123,7 +127,8 @@
+@@ -120,10 +124,14 @@
+ 	return 0;
+     }
+ 
++    if (length <= 0) {
++        return 0;
++    }
      // cout << "sock = " << sock << endl;
  
      char *buf_ptr = save_buf + save_len;
@@ -32,11 +39,11 @@ Last-Update: 2013-09-06
      // printf("msg received = %s\n", buf);
      save_len += result;
  
-@@ -142,6 +147,7 @@
+@@ -142,6 +150,7 @@
      // we found an end of line
  
      // copy to external buffer
-+    result = result < length ? result : length; //prevent buffer overflow
++    result = result < (length - 1) ? result : (length - 1); //prevent buffer overflow
      strncpy( buf, save_buf, result );
      buf[result] = '\0';
      // cout << "sg_socket line = " << buf << endl;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/simgear.git