iDefense has sent us the attached draft advisory.
A 1st look at the code confirms the problem.
Patch is pretty straightforward. I'll write it and attach it there shortly.
Probably not a blocker for the relase (but if other things are postponing it to after next week, it can probably make it).
Created attachment 11443 [details]
Created attachment 11450 [details] [review]
Both issues (this one and #12299) share CVE-2007-4568
Adding Guillem Jover, the xfstt maintainer.
Created attachment 11502 [details]
Simple way to build a request that will cause the integer overflow
tfs localhost:7100 hello
Created attachment 11585 [details] [review]
Jeremy Uejio from Sun discovered that the patch was incomplete. Attached an updated patch.
Created attachment 11596 [details] [review]
updated again patch
Hmm I realized at some point that the condition is not the same in the else clause, but I forgot to re-generate the patch before uploading it.
(In reply to comment #3)
> Both issues (this one and #12299) share CVE-2007-4568
iDefense as allocated a new ID for this one: CVE-2007-4989
Fixed in commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0