File bnc619562_CVE-2010-2541.diff of Package freetype2
from https://bugzilla.redhat.com/show_bug.cgi?id=617342
* src/ftmulti.c (main): Limit axis name length in `Header'.
Josh Bressers (Security Response Team) 2010-07-22 15:35:32 EDT
---
--- a/src/ftmulti.c
+++ a/src/ftmulti.c
@@ -813,13 +813,13 @@
for ( n = 0; n < (int)multimaster->num_axis; n++ )
{
- char temp[32];
+ char temp[100];
- sprintf( temp, " %s:%g",
+ sprintf( temp, " %.50s:%g",
multimaster->axis[n].name,
- design_pos[n]/65536. );
- strcat( Header, temp );
+ design_pos[n] / 65536.0 );
+ strncat( Header, temp, sizeof( Header ) - strlen( Header ) - 1 );
}
}
grWriteCellString( &bit, 0, 16, Header, fore_color );
