Menu
▾
▴
#9 Incorrect fix for SA37775 / CVE-2009-3995
Following commit:
http://mikmod.cvs.sourceforge.net/viewvc/mikmod/libmikmod/loaders/load_it.c?r1=1.3&r2=1.4
attempts to address IT issues reported by Secunia:
http://secunia.com/secunia_research/2009-55/
http://secunia.com/advisories/37775
However, that patch seems to be incomplete / incorrect for couple of reasons:
- only volpts is checked, while similar problems affect panpts and pitpts
- check is done after calling IT_ProcessEnvelope, which already modifies name##env using name##pts as an upper bound, so an overflow may happen before the check is reached
- info to name##env is read from name##tick and name##node, which only has ITENVCNT (25) items, so using sizeof(name##env) == ENVPOINTS (32) can still lead to array over-read
Fix similar to this can probably be used instead:
https://bugzilla.redhat.com/show_bug.cgi?id=614643#c11
Fixed in the mercurial repo.