rpms/openoffice.org/F-8 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1357, 1.1358
Caolan McNamara
caolanm at fedoraproject.org
Wed Aug 27 19:08:38 UTC 2008
- Previous message: rpms/yum-utils/devel .cvsignore, 1.22, 1.23 sources, 1.24, 1.25 yum-utils.spec, 1.44, 1.45
- Next message: rpms/openoffice.org/F-9 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1505, 1.1506
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: caolanm
Update of /cvs/pkgs/rpms/openoffice.org/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10708
Modified Files:
openoffice.org.spec
Added Files:
openoffice.org-2.4.1.ooo92217.sal.alloc.patch
Log Message:
Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
openoffice.org-2.4.1.ooo92217.sal.alloc.patch:
--- NEW FILE openoffice.org-2.4.1.ooo92217.sal.alloc.patch ---
Index: rtl/source/alloc_global.c
===================================================================
RCS file: /cvs/porting/sal/rtl/source/alloc_global.c,v
retrieving revision 1.6
diff -u -r1.6 alloc_global.c
--- openoffice.org.orig/sal/rtl/source/alloc_global.c 22 Jul 2008 17:11:06 -0000 1.6
+++ openoffice.org/sal/rtl/source/alloc_global.c 28 Jul 2008 13:28:07 -0000
@@ -197,9 +197,7 @@
char * addr;
sal_Size size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
-
if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
{
/* requested size too large for roundup alignment */
@@ -207,8 +205,8 @@
}
try_alloc:
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
else
addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
@@ -238,9 +236,8 @@
char * addr = (char*)(p) - RTL_MEMALIGN;
sal_Size size = ((sal_Size*)(addr))[0];
- int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
- rtl_cache_free(g_alloc_table[index], addr);
+ if (size <= RTL_MEMORY_CACHED_LIMIT)
+ rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
else
rtl_arena_free (gp_alloc_arena, addr, size);
}
Index: gsl/vcl/unx/source/gdi/makefile.mk
diff -u gsl/vcl/unx/source/gdi/makefile.mk:1.21 gsl/vcl/unx/source/gdi/makefile.mk:1.21.326.1
--- gsl/vcl/unx/source/gdi/makefile.mk:1.21 Tue Nov 14 07:25:12 2006
+++ gsl/vcl/unx/source/gdi/makefile.mk Tue Jan 8 08:30:59 2008
@@ -73,6 +73,7 @@
EXCEPTIONSFILES=\
$(SLO)$/xlfd_extd.obj \
+ $(SLO)$/salbmp.obj \
$(SLO)$/salgdi3.obj \
$(SLO)$/salcvt.obj
Index: gsl/vcl/unx/source/gdi/salbmp.cxx
diff -u gsl/vcl/unx/source/gdi/salbmp.cxx:1.29 gsl/vcl/unx/source/gdi/salbmp.cxx:1.29.162.1
--- gsl/vcl/unx/source/gdi/salbmp.cxx:1.29 Wed Jun 27 13:49:34 2007
+++ gsl/vcl/unx/source/gdi/salbmp.cxx Tue Jan 8 08:30:59 2008
@@ -138,11 +138,18 @@
{
DBG_ASSERT( nBitCount == 1 || nBitCount == 4 || nBitCount == 8 || nBitCount == 16 || nBitCount == 24, "Unsupported BitCount!" );
- BitmapBuffer* pDIB;
+ BitmapBuffer* pDIB = NULL;
if( rSize.Width() && rSize.Height() )
{
- pDIB = new BitmapBuffer;
+ try
+ {
+ pDIB = new BitmapBuffer;
+ }
+ catch( std::bad_alloc& )
+ {
+ pDIB = NULL;
+ }
if( pDIB )
{
@@ -179,7 +186,15 @@
pDIB->maPalette.SetEntryCount( nColors );
}
- pDIB->mpBits = new BYTE[ pDIB->mnScanlineSize * pDIB->mnHeight ];
+ try
+ {
+ pDIB->mpBits = new BYTE[ pDIB->mnScanlineSize * pDIB->mnHeight ];
+ }
+ catch(std::bad_alloc&)
+ {
+ delete pDIB;
+ pDIB = NULL;
+ }
}
}
else
@@ -708,7 +723,15 @@
// TODO: reference counting...
mpDIB = new BitmapBuffer( *rSalBmp.mpDIB );
// TODO: get rid of this when BitmapBuffer gets copy constructor
- mpDIB->mpBits = new BYTE[ mpDIB->mnScanlineSize * mpDIB->mnHeight ];
+ try
+ {
+ mpDIB->mpBits = new BYTE[ mpDIB->mnScanlineSize * mpDIB->mnHeight ];
+ }
+ catch( std::bad_alloc& )
+ {
+ delete mpDIB;
+ mpDIB = NULL;
+ }
if( mpDIB )
memcpy( mpDIB->mpBits, rSalBmp.mpDIB->mpBits, mpDIB->mnScanlineSize * mpDIB->mnHeight );
Index: source/filter.vcl/ipcx/ipcx.cxx
===================================================================
RCS file: /cvs/graphics/goodies/source/filter.vcl/ipcx/ipcx.cxx,v
retrieving revision 1.7
diff -u -r1.7 ipcx.cxx
--- openoffice.org.orig/goodies/source/filter.vcl/ipcx/ipcx.cxx 14 Nov 2006 16:16:05 -0000 1.7
+++ openoffice.org/goodies/source/filter.vcl/ipcx/ipcx.cxx 17 Jul 2008 14:12:36 -0000
@@ -187,6 +187,13 @@
*pPCX >> nbyte; nBitsPerPlanePix = (ULONG)nbyte;
*pPCX >> nMinX >> nMinY >> nMaxX >> nMaxY;
+
+ if ((nMinX > nMaxX) || (nMinY > nMaxY))
+ {
+ nStatus = FALSE;
+ return;
+ }
+
nWidth = nMaxX-nMinX+1;
nHeight = nMaxY-nMinY+1;
@@ -239,6 +246,12 @@
nCount = 0;
for ( ny = 0; ny < nHeight; ny++ )
{
+ if (pPCX->GetError() || pPCX->IsEof())
+ {
+ nStatus = FALSE;
+ break;
+ }
+
nPercent = ny * 60 / nHeight + 10;
if ( ny == 0 || nLastPercent + 4 <= nPercent )
{
Index: openoffice.org.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-8/openoffice.org.spec,v
retrieving revision 1.1357
retrieving revision 1.1358
diff -u -r1.1357 -r1.1358
--- openoffice.org.spec 10 Jun 2008 07:51:10 -0000 1.1357
+++ openoffice.org.spec 27 Aug 2008 19:08:07 -0000 1.1358
@@ -1,6 +1,6 @@
%define oootag OOG680
%define ooomilestone 6
-%define rh_rpm_release 15
+%define rh_rpm_release 16
# undef to get english only and no-langpacks for a faster smoketest build
%define langpacks 1
@@ -174,6 +174,7 @@
Patch92: openoffice.org-3.0.0.ooo85691.vcl.tooltipcolor.patch
Patch93: workspace.sjfixes03.patch
Patch94: workspace.mhu18.patch
+Patch95: openoffice.org-2.4.1.ooo92217.sal.alloc.patch
%define instdir %{_libdir}/openoffice.org
@@ -1143,6 +1144,7 @@
%patch92 -p1 -b .ooo85691.vcl.tooltipcolor.patch
%patch93 -p1 -b .workspace.sjfixes03.patch
%patch94 -p1 -b .workspace.mhu18.patch
+%patch95 -p1 -b .ooo92217.sal.alloc.patch
%if %{linkopt}
chmod a+x solenv/bin/mklinkscript.pl
@@ -2857,6 +2859,9 @@
%{instdir}/share/registry/modules/org/openoffice/Office/Scripting/Scripting-python.xcu
%changelog
+* Wed Aug 27 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.16
+- Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
+
* Tue Jun 10 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.15
- Resolves: rhbz#450650 CVE-2008-2152
- Previous message: rpms/yum-utils/devel .cvsignore, 1.22, 1.23 sources, 1.24, 1.25 yum-utils.spec, 1.44, 1.45
- Next message: rpms/openoffice.org/F-9 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1505, 1.1506
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list