rpms/openoffice.org/F-9 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, 1.1, 1.2

Caolan McNamara caolanm at fedoraproject.org
Wed Aug 27 21:38:39 UTC 2008 

Author: caolanm

Update of /cvs/pkgs/rpms/openoffice.org/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1220

Modified Files:
	openoffice.org-2.4.1.ooo92217.sal.alloc.patch 
Log Message:
Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator

openoffice.org-2.4.1.ooo92217.sal.alloc.patch:

Index: openoffice.org-2.4.1.ooo92217.sal.alloc.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-9/openoffice.org-2.4.1.ooo92217.sal.alloc.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openoffice.org-2.4.1.ooo92217.sal.alloc.patch	27 Aug 2008 19:11:46 -0000	1.1
+++ openoffice.org-2.4.1.ooo92217.sal.alloc.patch	27 Aug 2008 21:38:37 -0000	1.2
@@ -5,7 +5,7 @@
 diff -u -r1.6 alloc_global.c
 --- openoffice.org.orig/sal/rtl/source/alloc_global.c	22 Jul 2008 17:11:06 -0000	1.6
 +++ openoffice.org/sal/rtl/source/alloc_global.c	28 Jul 2008 13:28:07 -0000
-@@ -197,9 +197,7 @@
+@@ -214,9 +214,7 @@
  		char *     addr;
  		sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
  
@@ -15,7 +15,7 @@
  		if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
  		{
  			/* requested size too large for roundup alignment */
-@@ -207,8 +205,8 @@
+@@ -224,8 +222,8 @@
  		}
  
  try_alloc:
@@ -26,15 +26,15 @@
  		else
  			addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
  
-@@ -238,9 +236,8 @@
+@@ -255,9 +253,8 @@
  		char *   addr = (char*)(p) - RTL_MEMALIGN;
  		sal_Size size = ((sal_Size*)(addr))[0];
  
 -		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
 -		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
--			rtl_cache_free(g_alloc_table[index], addr);
-+		if (size <= RTL_MEMORY_CACHED_LIMIT)
-+			rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
+-			rtl_cache_free (g_alloc_table[index], addr);
++                if (size <= RTL_MEMORY_CACHED_LIMIT)
++                        rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
  		else
  			rtl_arena_free (gp_alloc_arena, addr, size);
  	}

More information about the fedora-extras-commits mailing list