rpms/openoffice.org/F-9 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1505, 1.1506
Caolan McNamara
caolanm at fedoraproject.org
Wed Aug 27 19:12:16 UTC 2008
- Previous message (by thread): rpms/openoffice.org/F-8 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1357, 1.1358
- Next message (by thread): rpms/schroedinger/devel .cvsignore, 1.5, 1.6 schroedinger.spec, 1.7, 1.8 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: caolanm
Update of /cvs/pkgs/rpms/openoffice.org/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11131
Modified Files:
openoffice.org.spec
Added Files:
openoffice.org-2.4.1.ooo92217.sal.alloc.patch
Log Message:
Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
openoffice.org-2.4.1.ooo92217.sal.alloc.patch:
--- NEW FILE openoffice.org-2.4.1.ooo92217.sal.alloc.patch ---
Index: rtl/source/alloc_global.c
===================================================================
RCS file: /cvs/porting/sal/rtl/source/alloc_global.c,v
retrieving revision 1.6
diff -u -r1.6 alloc_global.c
--- openoffice.org.orig/sal/rtl/source/alloc_global.c 22 Jul 2008 17:11:06 -0000 1.6
+++ openoffice.org/sal/rtl/source/alloc_global.c 28 Jul 2008 13:28:07 -0000
@@ -197,9 +197,7 @@
char * addr;
sal_Size size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
-
if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
{
/* requested size too large for roundup alignment */
@@ -207,8 +205,8 @@
}
try_alloc:
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
else
addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
@@ -238,9 +236,8 @@
char * addr = (char*)(p) - RTL_MEMALIGN;
sal_Size size = ((sal_Size*)(addr))[0];
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- rtl_cache_free(g_alloc_table[index], addr);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
else
rtl_arena_free (gp_alloc_arena, addr, size);
}
Index: source/filter.vcl/ipcx/ipcx.cxx
===================================================================
RCS file: /cvs/graphics/goodies/source/filter.vcl/ipcx/ipcx.cxx,v
retrieving revision 1.7
diff -u -r1.7 ipcx.cxx
--- openoffice.org.orig/goodies/source/filter.vcl/ipcx/ipcx.cxx 14 Nov 2006 16:16:05 -0000 1.7
+++ openoffice.org/goodies/source/filter.vcl/ipcx/ipcx.cxx 17 Jul 2008 14:12:36 -0000
@@ -187,6 +187,13 @@
*pPCX >> nbyte; nBitsPerPlanePix = (ULONG)nbyte;
*pPCX >> nMinX >> nMinY >> nMaxX >> nMaxY;
+
+ if ((nMinX > nMaxX) || (nMinY > nMaxY))
+ {
+ nStatus = FALSE;
+ return;
+ }
+
nWidth = nMaxX-nMinX+1;
nHeight = nMaxY-nMinY+1;
@@ -239,6 +246,12 @@
nCount = 0;
for ( ny = 0; ny < nHeight; ny++ )
{
+ if (pPCX->GetError() || pPCX->IsEof())
+ {
+ nStatus = FALSE;
+ break;
+ }
+
nPercent = ny * 60 / nHeight + 10;
if ( ny == 0 || nLastPercent + 4 <= nPercent )
{
Index: openoffice.org.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-9/openoffice.org.spec,v
retrieving revision 1.1505
retrieving revision 1.1506
diff -u -r1.1505 -r1.1506
--- openoffice.org.spec 26 Aug 2008 07:37:41 -0000 1.1505
+++ openoffice.org.spec 27 Aug 2008 19:11:46 -0000 1.1506
@@ -169,6 +169,7 @@
Patch94: openoffice.org-3.0.0.ooo92253.dbaccess.a11y.crash
Patch95: openoffice.org-3.0.0.ooo92343.svtools.strangethrow.patch
Patch96: openoffice.org-2.4.0.ooo93119.shell.echos.patch
+Patch97: openoffice.org-2.4.1.ooo92217.sal.alloc.patch
%define instdir %{_libdir}/openoffice.org
@@ -997,7 +998,7 @@
Summary: Malayalam language pack for %{name}
Group: Applications/Productivity
Requires: %{name}-core = %{epoch}:%{version}-%{release}
-Requires: fonts-malayalam
+Requires: smc-fonts-meera
Obsoletes: openoffice.org2-langpack-ml_IN
%description langpack-ml_IN
@@ -1152,6 +1153,7 @@
%patch94 -p1 -b .ooo92253.dbaccess.a11y.crash
%patch95 -p1 -b .ooo92343.svtools.strangethrow.patch
%patch96 -p1 -b .ooo93119.shell.echos.patch
+%patch97 -p1 -b .ooo92217.sal.alloc.patch
%build
echo build start time is `date`, diskspace: `df -h . | tail -n 1`
@@ -2948,6 +2950,7 @@
%changelog
* Tue Aug 26 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.4.1-17.6
+- Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
- add openoffice.org-2.4.0.ooo93119.shell.echos.patch
* Wed Jul 23 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.4.1-17.5
- Previous message (by thread): rpms/openoffice.org/F-8 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1357, 1.1358
- Next message (by thread): rpms/schroedinger/devel .cvsignore, 1.5, 1.6 schroedinger.spec, 1.7, 1.8 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list