Fix CVE-3014-3478

debian/patches/CVE-2014-3478.patch

@@ -0,0 +1,39 @@
+Subject: Buffer overflow in the mconvert function allows remote attackers to cause a denial of service
+ID: CVE-2014-3478
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Jun 4 17:36:34 2014 +0000
+Origin:
+    commit 27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    Correctly compute the truncated pascal string size (Francisco Alonso and
+    Jan Kaluza at RedHat)
+
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -800,10 +800,18 @@
+ 		return 1;
+ 	}
+ 	case FILE_PSTRING: {
+-		char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
++		size_t sz = file_pstring_length_size(m);
++		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ 		size_t len = file_pstring_get_length(m, ptr1);
+-		if (len >= sizeof(p->s))
+-			len = sizeof(p->s) - 1;
++		if (len >= sizeof(p->s)) {
++			/*
++			 * The size of the pascal string length (sz)
++			 * is 1, 2, or 4. We need at least 1 byte for NUL
++			 * termination, but we've already truncated the
++			 * string by p->s, so we need to deduct sz.
++			 */ 
++			len = sizeof(p->s) - sz;
++		}
+ 		while (len--)
+ 			*ptr1++ = *ptr2++;
+ 		*ptr1 = '\0';

debian/patches/series

@@ -8,3 +8,4 @@ DSA-2873-1-regression.patch
 CVE-2014-0207.patch
 CVE-2014-0237.patch
 CVE-2014-0238.patch
+CVE-2014-3478.patch