diff -U0 xmp-3.5.0/docs/ChangeLog.cve-2013-1980 xmp-3.5.0/docs/ChangeLog --- xmp-3.5.0/docs/ChangeLog.cve-2013-1980 2012-01-27 17:40:58.000000000 +0100 +++ xmp-3.5.0/docs/ChangeLog 2013-04-28 13:05:05.559593911 +0200 @@ -26,0 +27 @@ + - fix buffer overflow in MASI loader (reported by Douglas Carmichael) diff -up xmp-3.5.0/src/loaders/masi_load.c.cve-2013-1980 xmp-3.5.0/src/loaders/masi_load.c --- xmp-3.5.0/src/loaders/masi_load.c.cve-2013-1980 2012-01-21 13:35:14.000000000 +0100 +++ xmp-3.5.0/src/loaders/masi_load.c 2013-04-28 13:04:15.398503982 +0200 @@ -144,9 +144,9 @@ static void get_dsmp(struct xmp_context i = cur_ins; m->xxi[i] = calloc(sizeof(struct xxm_instrument), 1); - fread(&m->xxih[i].name, 1, 34, f); + fread(&m->xxih[i].name, 1, 31, f); str_adj((char *)m->xxih[i].name); - fseek(f, 5, SEEK_CUR); + fseek(f, 8, SEEK_CUR); read8(f); /* insno */ read8(f); m->xxs[i].len = read32l(f);