#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_doprnt_use_malloc.dpatch by OHURA Makoto <ohura@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix Bug #457764.
## DP: Use malloc(3) instead of alloca(3).
## DP: Using alloca(3) causes stack buffer overflow when specifing
## DP: a large precision value to format function. (CVE-2007-6109)

@DPATCH@
diff -urNad xemacs21-21.4.21~/src/doprnt.c xemacs21-21.4.21/src/doprnt.c
--- xemacs21-21.4.21~/src/doprnt.c	2008-07-25 22:41:12.000000000 +0900
+++ xemacs21-21.4.21/src/doprnt.c	2008-07-25 22:41:31.000000000 +0900
@@ -596,11 +596,11 @@
 	      /* ASCII Decimal representation uses 2.4 times as many
 		 bits as machine binary.  */
 	      char *text_to_print =
-		alloca_array (char, 32 +
+		      xmalloc (sizeof(char)*(32 +
 			      max (spec->minwidth,
 				   (EMACS_INT)
 				    max (sizeof (double), sizeof (long)) * 3 +
-				   max (spec->precision, 0)));
+				   max (spec->precision, 0))));
 	      char constructed_spec[100];
 	      char *p = constructed_spec;
 
@@ -642,6 +642,7 @@
 
 	      doprnt_1 (stream, (Bufbyte *) text_to_print,
 			strlen (text_to_print), 0, -1, 0, 0);
+	      xfree (text_to_print);
 	    }
 	}
     }