aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormaho <maho@FreeBSD.org>2007-01-08 14:41:02 +0800
committermaho <maho@FreeBSD.org>2007-01-08 14:41:02 +0800
commitd1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be (patch)
tree413fb679f0ec0c20efce1d4afc51aa66aad3de6a
parent8b1295e24443a1759981706a4d2a8b633041f384 (diff)
downloadfreebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.tar.gz
freebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.tar.zst
freebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.zip
* Fix WMF security vulnerability
http://www.openoffice.org/servlets/ReadMsg?list=releases&msgNo=10454 http://www.openoffice.org/issues/show_bug.cgi?id=70042 * Bump portrevision Obtained from: security-team@openoffice.org
-rw-r--r--editors/openoffice.org-1.1/Makefile2
-rw-r--r--editors/openoffice.org-1.1/files/patch-allocoverflows_wmf170
2 files changed, 171 insertions, 1 deletions
diff --git a/editors/openoffice.org-1.1/Makefile b/editors/openoffice.org-1.1/Makefile
index dab83557db4..0cc1ce17fb8 100644
--- a/editors/openoffice.org-1.1/Makefile
+++ b/editors/openoffice.org-1.1/Makefile
@@ -7,7 +7,7 @@
PORTNAME= openoffice.org
PORTVERSION= 1.1.5
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES+= editors
MASTER_SITES+= ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,misc/openoffice/stable/1.1.5/&,} \
ftp://ftp.kddlabs.co.jp/office/openoffice/stable/1.1.5/ \
diff --git a/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf
new file mode 100644
index 00000000000..dd89158672c
--- /dev/null
+++ b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf
@@ -0,0 +1,170 @@
+Index: source/filter.vcl/wmf/enhwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/enhwmf.cxx,v
+retrieving revision 1.19.106.1
+diff -u -u -r1.19.106.1 enhwmf.cxx
+--- svtools/source/filter.vcl/wmf/enhwmf.cxx 28 Apr 2004 10:25:02 -0000 1.19.106.1
++++ svtools/source/filter.vcl/wmf/enhwmf.cxx 24 Nov 2006 15:01:16 -0000
+@@ -60,6 +60,10 @@
+ ************************************************************************/
+
+ #include "winmtf.hxx"
++// some older OOos don't have the macro yet
++#ifndef SAL_MAX_UINT32
++#define SAL_MAX_UINT32 ((sal_uInt32) 0xFFFFFFFF)
++#endif
+
+ //=========================== GDI-Array ===================================
+
+@@ -385,33 +389,37 @@
+ UINT16* pnPoints;
+ Point* pPtAry;
+
+- INT32 i, nPoly, nGesPoints;
++ UINT32 i, nPoly, nGesPoints;
+ pWMF->SeekRel( 0x10 );
+
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> nGesPoints;
+
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+-
+- for ( i = 0; i < nPoly; i++ )
++ if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
+- // Polygonpunkte holen:
+- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+
+- for ( i = 0; i < nGesPoints; i++ )
+- {
+- *pWMF >> nX32 >> nY32;
+- pPtAry[ i ] = Point( nX32, nY32 );
++ // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
++ pnPoints = new UINT16[ nPoly ];
++
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
++ // Polygonpunkte holen:
++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
++
++ for ( i = 0; i < nGesPoints; i++ )
++ {
++ *pWMF >> nX32 >> nY32;
++ pPtAry[ i ] = Point( nX32, nY32 );
++ }
++ // PolyPolygon Actions erzeugen
++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++ delete[] (char*) pPtAry;
++ delete[] pnPoints;
+ }
+- // PolyPolygon Actions erzeugen
+- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+- delete[] (char*) pPtAry;
+- delete[] pnPoints;
+ }
+ break;
+
+@@ -1137,31 +1145,34 @@
+ UINT16* pnPoints;
+ Point* pPtAry;
+
+- INT32 i, nPoly, nGesPoints;
++ UINT32 i, nPoly, nGesPoints;
+ pWMF->SeekRel( 0x10 );
+ // Anzahl der Polygone:
+ *pWMF >> nPoly >> nGesPoints;
+- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new UINT16[ nPoly ];
+- for ( i = 0; i < nPoly; i++ )
+- {
+- *pWMF >> nPoints;
+- pnPoints[ i ] = (UINT16)nPoints;
+- }
+- // Polygonpunkte holen:
+- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
+- for ( i = 0; i < nGesPoints; i++ )
++ if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ {
+- *pWMF >> nX16 >> nY16;
+- pPtAry[ i ] = Point( nX16, nY16 );
++ // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
++ pnPoints = new UINT16[ nPoly ];
++ for ( i = 0; i < nPoly; i++ )
++ {
++ *pWMF >> nPoints;
++ pnPoints[ i ] = (UINT16)nPoints;
++ }
++ // Polygonpunkte holen:
++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ];
++ for ( i = 0; i < nGesPoints; i++ )
++ {
++ *pWMF >> nX16 >> nY16;
++ pPtAry[ i ] = Point( nX16, nY16 );
++ }
++
++ // PolyPolygon Actions erzeugen
++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++ delete[] (char*) pPtAry;
++ delete[] pnPoints;
+ }
+-
+- // PolyPolygon Actions erzeugen
+- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+- delete[] (char*) pPtAry;
+- delete[] pnPoints;
+- };
++ }
+ break;
+
+ case EMR_FILLRGN :
+Index: source/filter.vcl/wmf/winwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/winwmf.cxx,v
+retrieving revision 1.20.106.1
+diff -u -u -r1.20.106.1 winwmf.cxx
+--- svtools/source/filter.vcl/wmf/winwmf.cxx 28 Apr 2004 10:25:48 -0000 1.20.106.1
++++ svtools/source/filter.vcl/wmf/winwmf.cxx 24 Nov 2006 15:01:16 -0000
+@@ -874,17 +874,21 @@
+ aMemoryStream >> aPt.X()
+ >> aPt.Y()
+ >> nStringLen;
+- sal_Unicode* pBuf = aString.AllocBuffer( (sal_uInt16)nStringLen );
+- for ( i = 0; i < nStringLen; i++ )
+- aMemoryStream >> pBuf[ i ];
+- aMemoryStream >> nDXCount;
+- if ( nDXCount )
+- pDXAry = new sal_Int32[ nDXCount ];
+- for ( i = 0; i < nDXCount; i++ )
+- aMemoryStream >> pDXAry[ i ];
+- aMemoryStream >> nSkipActions;
+- pOut->DrawText( aPt, aString, pDXAry );
+- delete[] pDXAry;
++
++ if (nStringLen < STRING_MAXLEN)
++ {
++ sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen );
++ for ( i = 0; i < nStringLen; i++ )
++ aMemoryStream >> pBuf[ i ];
++ aMemoryStream >> nDXCount;
++ if ( nDXCount )
++ pDXAry = new sal_Int32[ nDXCount ];
++ for ( i = 0; i < nDXCount; i++ )
++ aMemoryStream >> pDXAry[ i ];
++ aMemoryStream >> nSkipActions;
++ pOut->DrawText( aPt, aString, pDXAry );
++ delete[] pDXAry;
++ }
+ }
+ }
+ break;