--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/lib/libFS/CVE-2013-1996.patch Wed May 15 13:44:02 2013 -0700
@@ -0,0 +1,56 @@
+From 26dc23446c2e7818fdebfb46e101bac4883df07e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sun, 14 Apr 2013 09:07:32 -0700
+Subject: [PATCH:libFS] Sign extension issue and integer overflow in
+ FSOpenServer() [CVE-2013-1996]
+
+> altlen = (int) *ad++; <-- if char is 0xff, will sign extend to int (0xffffffff == -1)
+> alts[i].name = (char *) FSmalloc(altlen + 1); <-- -1 + 1 == 0
+> ...
+> memmove(alts[i].name, ad, altlen); <-- memory corruption
+
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/FSOpenServ.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c
+index 32f7d25..58c611b 100644
+--- a/src/FSOpenServ.c
++++ b/src/FSOpenServ.c
+@@ -111,10 +111,10 @@ FSOpenServer(const char *server)
+ char *setup = NULL;
+ fsConnSetupAccept conn;
+ char *auth_data = NULL;
+- char *alt_data = NULL,
++ unsigned char *alt_data = NULL,
+ *ad;
+ AlternateServer *alts = NULL;
+- int altlen;
++ unsigned int altlen;
+ char *vendor_string;
+ unsigned long setuplength;
+
+@@ -158,8 +158,8 @@ FSOpenServer(const char *server)
+
+ setuplength = prefix.alternate_len << 2;
+ if (setuplength > (SIZE_MAX>>2)
+- || (alt_data = (char *)
+- (setup = FSmalloc((unsigned) setuplength))) == NULL) {
++ || (alt_data = (unsigned char *)
++ (setup = FSmalloc(setuplength))) == NULL) {
+ goto fail;
+ }
+ _FSRead(svr, (char *) alt_data, setuplength);
+@@ -178,8 +178,8 @@ FSOpenServer(const char *server)
+ }
+ for (i = 0; i < prefix.num_alternates; i++) {
+ alts[i].subset = (Bool) *ad++;
+- altlen = (int) *ad++;
+- alts[i].name = (char *) FSmalloc(altlen + 1);
++ altlen = (unsigned int) *ad++;
++ alts[i].name = FSmalloc(altlen + 1);
+ if (!alts[i].name) {
+ while (--i) {
+ FSfree((char *) alts[i].name);