diff -Naurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11.oden/loaders/load_it.c --- libmikmod-3.1.11/loaders/load_it.c 2010-08-12 12:34:21.000000000 -0400 +++ libmikmod-3.1.11.oden/loaders/load_it.c 2010-08-12 12:34:34.000000000 -0400 @@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious) #define IT_LoadEnvelope(name,type) \ ih. name##flg =_mm_read_UBYTE(modreader); \ ih. name##pts =_mm_read_UBYTE(modreader); \ + if (ih. name##pts > ITENVCNT) \ + ih. name##pts = ITENVCNT; \ ih. name##beg =_mm_read_UBYTE(modreader); \ ih. name##end =_mm_read_UBYTE(modreader); \ ih. name##susbeg=_mm_read_UBYTE(modreader); \ @@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious) #define IT_LoadEnvelope(name,type) \ ih. name/**/flg =_mm_read_UBYTE(modreader); \ ih. name/**/pts =_mm_read_UBYTE(modreader); \ + if (ih. name/**/pts > ITENVCNT) \ + ih. name/**/pts = ITENVCNT; \ ih. name/**/beg =_mm_read_UBYTE(modreader); \ ih. name/**/end =_mm_read_UBYTE(modreader); \ ih. name/**/susbeg=_mm_read_UBYTE(modreader); \ @@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious) #endif IT_ProcessEnvelope(vol); - /* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */ - if (ih.volpts>= ENVPOINTS) - ih.volpts = ENVPOINTS-1; - for(u=0;u<ih.volpts;u++) d->volenv[u].val=(ih.volnode[u]<<2);