Package: ffproxy Version: 1.6-10 Severity: normal ffproxy uses bounds checks along the lines of 'i < sizeof(r->header) - 1' in several places to bounds-check the array index variable 'i', but r->header is an array of char* variables, so this is incorrect.
The result is that if the remote side (or the local side, probably?) provides too many headers, then the stack is overwritten with heap pointers to the headers in question (since 'r' is on the stack). The trivial fix would be to replace the 6 uses of sizeof(r->header) with 32, which is the size of the r->header array (see req.h). - Alyssa -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
