diff options
author | maho <maho@FreeBSD.org> | 2007-01-08 14:41:02 +0800 |
---|---|---|
committer | maho <maho@FreeBSD.org> | 2007-01-08 14:41:02 +0800 |
commit | d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be (patch) | |
tree | 413fb679f0ec0c20efce1d4afc51aa66aad3de6a | |
parent | 8b1295e24443a1759981706a4d2a8b633041f384 (diff) | |
download | freebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.tar.gz freebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.tar.zst freebsd-ports-graphics-d1b2ca57ba2cfc0e56f7660ed40f7eedbbb0b3be.zip |
* Fix WMF security vulnerability
http://www.openoffice.org/servlets/ReadMsg?list=releases&msgNo=10454
http://www.openoffice.org/issues/show_bug.cgi?id=70042
* Bump portrevision
Obtained from: security-team@openoffice.org
-rw-r--r-- | editors/openoffice.org-1.1/Makefile | 2 | ||||
-rw-r--r-- | editors/openoffice.org-1.1/files/patch-allocoverflows_wmf | 170 |
2 files changed, 171 insertions, 1 deletions
diff --git a/editors/openoffice.org-1.1/Makefile b/editors/openoffice.org-1.1/Makefile index dab83557db4..0cc1ce17fb8 100644 --- a/editors/openoffice.org-1.1/Makefile +++ b/editors/openoffice.org-1.1/Makefile @@ -7,7 +7,7 @@ PORTNAME= openoffice.org PORTVERSION= 1.1.5 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES+= editors MASTER_SITES+= ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,misc/openoffice/stable/1.1.5/&,} \ ftp://ftp.kddlabs.co.jp/office/openoffice/stable/1.1.5/ \ diff --git a/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf new file mode 100644 index 00000000000..dd89158672c --- /dev/null +++ b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf @@ -0,0 +1,170 @@ +Index: source/filter.vcl/wmf/enhwmf.cxx +=================================================================== +RCS file: /cvs/util/svtools/source/filter.vcl/wmf/enhwmf.cxx,v +retrieving revision 1.19.106.1 +diff -u -u -r1.19.106.1 enhwmf.cxx +--- svtools/source/filter.vcl/wmf/enhwmf.cxx 28 Apr 2004 10:25:02 -0000 1.19.106.1 ++++ svtools/source/filter.vcl/wmf/enhwmf.cxx 24 Nov 2006 15:01:16 -0000 +@@ -60,6 +60,10 @@ + ************************************************************************/ + + #include "winmtf.hxx" ++// some older OOos don't have the macro yet ++#ifndef SAL_MAX_UINT32 ++#define SAL_MAX_UINT32 ((sal_uInt32) 0xFFFFFFFF) ++#endif + + //=========================== GDI-Array =================================== + +@@ -385,33 +389,37 @@ + UINT16* pnPoints; + Point* pPtAry; + +- INT32 i, nPoly, nGesPoints; ++ UINT32 i, nPoly, nGesPoints; + pWMF->SeekRel( 0x10 ); + + // Anzahl der Polygone: + *pWMF >> nPoly >> nGesPoints; + +- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln: +- pnPoints = new UINT16[ nPoly ]; +- +- for ( i = 0; i < nPoly; i++ ) ++ if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point)) + { +- *pWMF >> nPoints; +- pnPoints[ i ] = (UINT16)nPoints; +- } +- // Polygonpunkte holen: +- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ]; + +- for ( i = 0; i < nGesPoints; i++ ) +- { +- *pWMF >> nX32 >> nY32; +- pPtAry[ i ] = Point( nX32, nY32 ); ++ // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln: ++ pnPoints = new UINT16[ nPoly ]; ++ ++ for ( i = 0; i < nPoly; i++ ) ++ { ++ *pWMF >> nPoints; ++ pnPoints[ i ] = (UINT16)nPoints; ++ } ++ // Polygonpunkte holen: ++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ]; ++ ++ for ( i = 0; i < nGesPoints; i++ ) ++ { ++ *pWMF >> nX32 >> nY32; ++ pPtAry[ i ] = Point( nX32, nY32 ); ++ } ++ // PolyPolygon Actions erzeugen ++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry ); ++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath ); ++ delete[] (char*) pPtAry; ++ delete[] pnPoints; + } +- // PolyPolygon Actions erzeugen +- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry ); +- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath ); +- delete[] (char*) pPtAry; +- delete[] pnPoints; + } + break; + +@@ -1137,31 +1145,34 @@ + UINT16* pnPoints; + Point* pPtAry; + +- INT32 i, nPoly, nGesPoints; ++ UINT32 i, nPoly, nGesPoints; + pWMF->SeekRel( 0x10 ); + // Anzahl der Polygone: + *pWMF >> nPoly >> nGesPoints; +- // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln: +- pnPoints = new UINT16[ nPoly ]; +- for ( i = 0; i < nPoly; i++ ) +- { +- *pWMF >> nPoints; +- pnPoints[ i ] = (UINT16)nPoints; +- } +- // Polygonpunkte holen: +- pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ]; +- for ( i = 0; i < nGesPoints; i++ ) ++ if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point)) + { +- *pWMF >> nX16 >> nY16; +- pPtAry[ i ] = Point( nX16, nY16 ); ++ // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln: ++ pnPoints = new UINT16[ nPoly ]; ++ for ( i = 0; i < nPoly; i++ ) ++ { ++ *pWMF >> nPoints; ++ pnPoints[ i ] = (UINT16)nPoints; ++ } ++ // Polygonpunkte holen: ++ pPtAry = (Point*) new char[ nGesPoints * sizeof(Point) ]; ++ for ( i = 0; i < nGesPoints; i++ ) ++ { ++ *pWMF >> nX16 >> nY16; ++ pPtAry[ i ] = Point( nX16, nY16 ); ++ } ++ ++ // PolyPolygon Actions erzeugen ++ PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry ); ++ pOut->DrawPolyPolygon( aPolyPoly, bRecordPath ); ++ delete[] (char*) pPtAry; ++ delete[] pnPoints; + } +- +- // PolyPolygon Actions erzeugen +- PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry ); +- pOut->DrawPolyPolygon( aPolyPoly, bRecordPath ); +- delete[] (char*) pPtAry; +- delete[] pnPoints; +- }; ++ } + break; + + case EMR_FILLRGN : +Index: source/filter.vcl/wmf/winwmf.cxx +=================================================================== +RCS file: /cvs/util/svtools/source/filter.vcl/wmf/winwmf.cxx,v +retrieving revision 1.20.106.1 +diff -u -u -r1.20.106.1 winwmf.cxx +--- svtools/source/filter.vcl/wmf/winwmf.cxx 28 Apr 2004 10:25:48 -0000 1.20.106.1 ++++ svtools/source/filter.vcl/wmf/winwmf.cxx 24 Nov 2006 15:01:16 -0000 +@@ -874,17 +874,21 @@ + aMemoryStream >> aPt.X() + >> aPt.Y() + >> nStringLen; +- sal_Unicode* pBuf = aString.AllocBuffer( (sal_uInt16)nStringLen ); +- for ( i = 0; i < nStringLen; i++ ) +- aMemoryStream >> pBuf[ i ]; +- aMemoryStream >> nDXCount; +- if ( nDXCount ) +- pDXAry = new sal_Int32[ nDXCount ]; +- for ( i = 0; i < nDXCount; i++ ) +- aMemoryStream >> pDXAry[ i ]; +- aMemoryStream >> nSkipActions; +- pOut->DrawText( aPt, aString, pDXAry ); +- delete[] pDXAry; ++ ++ if (nStringLen < STRING_MAXLEN) ++ { ++ sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen ); ++ for ( i = 0; i < nStringLen; i++ ) ++ aMemoryStream >> pBuf[ i ]; ++ aMemoryStream >> nDXCount; ++ if ( nDXCount ) ++ pDXAry = new sal_Int32[ nDXCount ]; ++ for ( i = 0; i < nDXCount; i++ ) ++ aMemoryStream >> pDXAry[ i ]; ++ aMemoryStream >> nSkipActions; ++ pOut->DrawText( aPt, aString, pDXAry ); ++ delete[] pDXAry; ++ } + } + } + break; |