/[gentoo-x86]/app-office/calligra/files/calligra-2.4.3-security-fix-buffer-overflow.patch
Gentoo

Contents of /app-office/calligra/files/calligra-2.4.3-security-fix-buffer-overflow.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (show annotations) (download)
Sat Aug 4 16:17:34 2012 UTC (9 months, 2 weeks ago) by johu
Branch: MAIN
CVS Tags: HEAD 
Revision bump adds a upstream security patch which fixes a buffer overflow.

(Portage version: 2.2.0_alpha120/cvs/Linux x86_64)
1 commit 7d72f7dd8d28d18c59a08a7d43bd4e0654043103
2 Author: Thorsten Zachmann <t.zachmann@zagge.de>
3 Date: Sat Aug 4 06:42:14 2012 +0200
4
5 Make sure not to write behind the allocated memory
6
7 Validate the input data to not write behind the allocated memory. This fixes a
8 buffer overflow found by Charlie Miller.
9 (cherry picked from commit 8652ab672eaaa145dfb3782f5011de58aa4cc046)
10
11 diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
12 index c3132f0..0d691f5 100644
13 --- a/filters/words/msword-odf/wv2/src/styles.cpp
14 +++ b/filters/words/msword-odf/wv2/src/styles.cpp
15 @@ -248,6 +248,11 @@ throw(InvalidFormatException)
16 #ifdef WV2_DEBUG_STYLESHEET
17 wvlog << "cbUPX: " << cbUPX << endl;
18 #endif
19 + // do not overflow the allocated buffer grupx
20 + if (offset + cbUPX > grupxLen) {
21 + wvlog << "====> Error: grupx would overflow!" << endl;
22 + return false;
23 + }
24 for ( U16 j = 0; j < cbUPX; ++j ) {
25 grupx[ offset + j ] = stream->readU8(); // read the whole UPX
26 #ifdef WV2_DEBUG_STYLESHEET
  ViewVC Help
Powered by ViewVC 1.1.13