diff -urN ../mcrypt-2.6.8.orig/src/classic.c ./src/classic.c
--- ../mcrypt-2.6.8.orig/src/classic.c	2012-09-11 16:27:08.578599127 +0400
+++ ./src/classic.c	2012-09-11 16:29:21.930588697 +0400
@@ -507,6 +507,7 @@
 
 
    if (bare_flag == FALSE) {
+      salt_size = sizeof(local_salt);
       if (check_file_head
 	  (FROMF, local_algorithm, local_mode, local_keymode,
 	   &keysize, local_salt, &salt_size) != 0) {
diff -urN ../mcrypt-2.6.8.orig/src/extra.c ./src/extra.c
--- ../mcrypt-2.6.8.orig/src/extra.c	2012-09-11 16:27:08.579591655 +0400
+++ ./src/extra.c	2012-09-11 16:28:46.553591623 +0400
@@ -172,6 +172,7 @@
 	char buf[3];
 	char tmp_buf[101];
 	short int keylen;
+	int max_salt_size = *salt_size;
 	unsigned char flags;
 	unsigned char sflag;
 
@@ -242,6 +243,9 @@
 			if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
 				*salt_size = m_setbit(0, sflag, 0);
 				if (*salt_size > 0) {
+					if (*salt_size > sizeof(tmp_buf) ||
+					    *salt_size > max_salt_size)
+						err_quit(_("Salt is too long\n"));
 					fread(tmp_buf, 1, *salt_size,
 					      fstream);
 					memmove(salt, tmp_buf, *salt_size);