#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2009-3995f.dpatch by  <aw@linux.de>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch for CVE-2009-3995 and CVE-2009-3996

@DPATCH@

diff -Ndurp libmikmod-3.1.11/loaders/load_it.c libmikmod-3.1.11-fixed/loaders/load_it.c
--- libmikmod-3.1.11/loaders/load_it.c	2010-05-31 14:10:34.000000000 +0200
+++ libmikmod-3.1.11-fixed/loaders/load_it.c	2010-05-31 14:10:10.000000000 +0200
@@ -862,6 +862,10 @@ BOOL IT_Load(BOOL curious)
 #endif
 
 				IT_ProcessEnvelope(vol);
+				/* fix for CVE-2009-3995 - snatched from SuSe's fix -- AW */
+				if (ih.volpts>= ENVPOINTS)
+					ih.volpts = ENVPOINTS-1;
+
 				for(u=0;u<ih.volpts;u++)
 					d->volenv[u].val=(ih.volnode[u]<<2);
 
diff -Ndurp libmikmod-3.1.11/loaders/load_ult.c libmikmod-3.1.11-fixed/loaders/load_ult.c
--- libmikmod-3.1.11/loaders/load_ult.c	2010-05-31 14:10:34.000000000 +0200
+++ libmikmod-3.1.11-fixed/loaders/load_ult.c	2010-05-31 14:10:10.000000000 +0200
@@ -224,6 +224,9 @@ BOOL ULT_Load(BOOL curious)
 	for(u=0;u<of.numchn;u++)
 		for(t=0;t<of.numpat;t++)
 			of.patterns[(t*of.numchn)+u]=tracks++;
+	/* fix for CVE-2009-3996 - snatched from SuSe's fix -- AW */
+    if (of.numchn>=UF_MAXCHAN)
+		of.numchn=UF_MAXCHAN - 1;
 
 	/* read pan position table for v1.5 and higher */
 	if(mh.id[14]>='3') {