Hello list,
It seems libmms has fixed a buffer overflow in a recent 0.6.4 version
with the following commit.
http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8
This may be triggered via an overly long line of a MMSH (MMS over
HTTP) server response, effectively overflowing the buffer which has a
static size (defined as BUF_SIZE, didn't check the actual numeric
value).
Please assign a CVE name for this, if there is none.
Kind regards,
Z.
src/mmsh.c
--- a/src/mmsh.c
+++ b/src/mmsh.c
@@ -310,7 +310,10 @@
len = 0;
}
} else {
- len ++;
+ if (++len >= sizeof(this->buf)) {
+ lprintf("answer too large\n");
+ return 0;
+ }
}
}
if (this->stream_type == MMSH_UNKNOWN) {