File pcsc-lite-CVE-2010-4531.patch of Package pcsc-lite

------------------------------------------------------------------------
r5370 | rousseau | 2010-11-03 19:23:09 +0000 (Wed, 03 Nov 2010) | 6 lines

ATRDecodeAtr(): avoids a buffer overflow with badly formed ATR like
3B FF 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22
33 F0 11 22 33 00 11 22 33

Thanks to Rafael Dominguez Vega for the bug report

------------------------------------------------------------------------
Index: PCSC/src/atrhandler.c
===================================================================
--- PCSC/src/atrhandler.c	(revision 5369)
+++ PCSC/src/atrhandler.c	(revision 5370)
@@ -232,7 +232,7 @@
 	psExtension->ATR.HistoryLength = K;
 	memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
 
-	p = p + K;
+	p += K;
 
 	/*
 	 * Check to see if TCK character is included It will be included if
@@ -241,6 +241,9 @@
 	if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
 		TCK = pucAtr[p++];
 
+	if (p > MAX_ATR_SIZE)
+		return 0;	/** @retval 0 Maximum attribute size */
+
 	memcpy(psExtension->ATR.Value, pucAtr, p);
 	psExtension->ATR.Length = p;	/* modified from p-1 */