File 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch of Package libssh.openSUSE_12.1_Update

From ba42ece534e50bb35b25a0d7bf4341500e728ba8 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 25 Nov 2011 23:02:57 -0500
Subject: [PATCH 04/11] CVE-2012-4562: Fix possible string related integer
 overflows.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 743ace04331aa3e15fed4c972a884a2d2d3cab47)
---
 src/string.c |   25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/string.c b/src/string.c
index 6be7c2a..f43c826 100644
--- a/src/string.c
+++ b/src/string.c
@@ -22,6 +22,7 @@
  */
 
 #include <errno.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -51,7 +52,11 @@
 struct ssh_string_struct *ssh_string_new(size_t size) {
   struct ssh_string_struct *str = NULL;
 
-  str = malloc(size + 4);
+  if (size > UINT_MAX - sizeof(struct ssh_string_struct)) {
+      return NULL;
+  }
+
+  str = malloc(sizeof(struct ssh_string_struct) + size);
   if (str == NULL) {
     return NULL;
   }
@@ -141,16 +146,22 @@ size_t ssh_string_len(struct ssh_string_struct *s) {
 char *ssh_string_to_char(struct ssh_string_struct *s) {
 	size_t len;
 	char *new;
-	if(s==NULL || s->string == NULL)
-		return NULL;
-  len = ntohl(s->size) + 1;
-  new = malloc(len);
+  if (s == NULL || s->string == NULL) {
+    return NULL;
+  }
 
+  len = ssh_string_len(s);
+  if (len + 1 < len) {
+    return NULL;
+  }
+
+  new = malloc(len + 1);
   if (new == NULL) {
     return NULL;
   }
-  memcpy(new, s->string, len - 1);
-  new[len - 1] = '\0';
+  memcpy(new, s->string, len);
+  new[len] = '\0';
+
   return new;
 }
 
-- 
1.7.10.4