rpms/openoffice.org/F-8 openoffice.org-2.4.1.ooo92217.sal.alloc.patch, NONE, 1.1 openoffice.org.spec, 1.1357, 1.1358

Wed Aug 27 19:08:38 UTC 2008

Author: caolanm

Update of /cvs/pkgs/rpms/openoffice.org/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10708

Modified Files:
	openoffice.org.spec 
Added Files:
	openoffice.org-2.4.1.ooo92217.sal.alloc.patch 
Log Message:
Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator

openoffice.org-2.4.1.ooo92217.sal.alloc.patch:

--- NEW FILE openoffice.org-2.4.1.ooo92217.sal.alloc.patch ---
Index: rtl/source/alloc_global.c
===================================================================
RCS file: /cvs/porting/sal/rtl/source/alloc_global.c,v
retrieving revision 1.6
diff -u -r1.6 alloc_global.c
--- openoffice.org.orig/sal/rtl/source/alloc_global.c	22 Jul 2008 17:11:06 -0000	1.6
+++ openoffice.org/sal/rtl/source/alloc_global.c	28 Jul 2008 13:28:07 -0000
@@ -197,9 +197,7 @@
 		char *     addr;
 		sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
 
-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
 		OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
-
 		if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
 		{
 			/* requested size too large for roundup alignment */
@@ -207,8 +205,8 @@
 		}
 
 try_alloc:
-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
-			addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
+		if (size <= RTL_MEMORY_CACHED_LIMIT)
+			addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
 		else
 			addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
 
@@ -238,9 +236,8 @@
 		char *   addr = (char*)(p) - RTL_MEMALIGN;
 		sal_Size size = ((sal_Size*)(addr))[0];
 
-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
-			rtl_cache_free(g_alloc_table[index], addr);
+		if (size <= RTL_MEMORY_CACHED_LIMIT)
+			rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
 		else
 			rtl_arena_free (gp_alloc_arena, addr, size);
 	}
Index: gsl/vcl/unx/source/gdi/makefile.mk
diff -u gsl/vcl/unx/source/gdi/makefile.mk:1.21 gsl/vcl/unx/source/gdi/makefile.mk:1.21.326.1
--- gsl/vcl/unx/source/gdi/makefile.mk:1.21	Tue Nov 14 07:25:12 2006
+++ gsl/vcl/unx/source/gdi/makefile.mk	Tue Jan  8 08:30:59 2008
@@ -73,6 +73,7 @@
         
 EXCEPTIONSFILES=\
 		$(SLO)$/xlfd_extd.obj	\
+		$(SLO)$/salbmp.obj		\
 		$(SLO)$/salgdi3.obj		\
         $(SLO)$/salcvt.obj
 
Index: gsl/vcl/unx/source/gdi/salbmp.cxx
diff -u gsl/vcl/unx/source/gdi/salbmp.cxx:1.29 gsl/vcl/unx/source/gdi/salbmp.cxx:1.29.162.1
--- gsl/vcl/unx/source/gdi/salbmp.cxx:1.29	Wed Jun 27 13:49:34 2007
+++ gsl/vcl/unx/source/gdi/salbmp.cxx	Tue Jan  8 08:30:59 2008
@@ -138,11 +138,18 @@
 {
 	DBG_ASSERT( nBitCount == 1 || nBitCount == 4 || nBitCount == 8 || nBitCount == 16 || nBitCount == 24, "Unsupported BitCount!" );
 
-	BitmapBuffer* pDIB;
+	BitmapBuffer* pDIB = NULL;
 
 	if( rSize.Width() && rSize.Height() )
 	{
-		pDIB = new BitmapBuffer;
+        try
+        {
+            pDIB = new BitmapBuffer;
+        }
+        catch( std::bad_alloc& )
+        {
+            pDIB = NULL;
+        }
 
 		if( pDIB )
 		{
@@ -179,7 +186,15 @@
 				pDIB->maPalette.SetEntryCount( nColors );
 			}
 
-			pDIB->mpBits = new BYTE[ pDIB->mnScanlineSize * pDIB->mnHeight ];
+            try
+            {
+                pDIB->mpBits = new BYTE[ pDIB->mnScanlineSize * pDIB->mnHeight ];
+            }
+            catch(std::bad_alloc&)
+            {
+                delete pDIB;
+                pDIB = NULL;
+            }
 		}
 	}
 	else
@@ -708,7 +723,15 @@
 		// TODO: reference counting...
 		mpDIB = new BitmapBuffer( *rSalBmp.mpDIB );
 		// TODO: get rid of this when BitmapBuffer gets copy constructor
-		mpDIB->mpBits = new BYTE[ mpDIB->mnScanlineSize * mpDIB->mnHeight ];
+        try
+        {
+            mpDIB->mpBits = new BYTE[ mpDIB->mnScanlineSize * mpDIB->mnHeight ];
+        }
+        catch( std::bad_alloc& )
+        {
+            delete mpDIB;
+            mpDIB = NULL;
+        }
 
 		if( mpDIB )
 			memcpy( mpDIB->mpBits, rSalBmp.mpDIB->mpBits, mpDIB->mnScanlineSize * mpDIB->mnHeight );
Index: source/filter.vcl/ipcx/ipcx.cxx
===================================================================
RCS file: /cvs/graphics/goodies/source/filter.vcl/ipcx/ipcx.cxx,v
retrieving revision 1.7
diff -u -r1.7 ipcx.cxx
--- openoffice.org.orig/goodies/source/filter.vcl/ipcx/ipcx.cxx	14 Nov 2006 16:16:05 -0000	1.7
+++ openoffice.org/goodies/source/filter.vcl/ipcx/ipcx.cxx	17 Jul 2008 14:12:36 -0000
@@ -187,6 +187,13 @@
 
 	*pPCX >> nbyte; nBitsPerPlanePix = (ULONG)nbyte;
 	*pPCX >> nMinX >> nMinY >> nMaxX >> nMaxY;
+
+	if ((nMinX > nMaxX) || (nMinY > nMaxY))
+	{
+		nStatus = FALSE;
+		return;
+	}
+
 	nWidth = nMaxX-nMinX+1;
 	nHeight = nMaxY-nMinY+1;
 
@@ -239,6 +246,12 @@
 	nCount = 0;
 	for ( ny = 0; ny < nHeight; ny++ )
 	{
+		if (pPCX->GetError() || pPCX->IsEof())
+		{
+			nStatus = FALSE;
+			break;
+		}
+
 		nPercent = ny * 60 / nHeight + 10;
 		if ( ny == 0 || nLastPercent + 4 <= nPercent )
 		{


Index: openoffice.org.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-8/openoffice.org.spec,v
retrieving revision 1.1357
retrieving revision 1.1358
diff -u -r1.1357 -r1.1358
--- openoffice.org.spec	10 Jun 2008 07:51:10 -0000	1.1357
+++ openoffice.org.spec	27 Aug 2008 19:08:07 -0000	1.1358
@@ -1,6 +1,6 @@
 %define oootag OOG680
 %define ooomilestone 6
-%define rh_rpm_release 15
+%define rh_rpm_release 16
 
 # undef to get english only and no-langpacks for a faster smoketest build
 %define langpacks 1
@@ -174,6 +174,7 @@
 Patch92: openoffice.org-3.0.0.ooo85691.vcl.tooltipcolor.patch
 Patch93: workspace.sjfixes03.patch
 Patch94: workspace.mhu18.patch
+Patch95: openoffice.org-2.4.1.ooo92217.sal.alloc.patch
 
 %define instdir %{_libdir}/openoffice.org
 
@@ -1143,6 +1144,7 @@
 %patch92 -p1 -b .ooo85691.vcl.tooltipcolor.patch
 %patch93 -p1 -b .workspace.sjfixes03.patch
 %patch94 -p1 -b .workspace.mhu18.patch
+%patch95 -p1 -b .ooo92217.sal.alloc.patch
 
 %if %{linkopt}
 chmod a+x solenv/bin/mklinkscript.pl
@@ -2857,6 +2859,9 @@
 %{instdir}/share/registry/modules/org/openoffice/Office/Scripting/Scripting-python.xcu
 
 %changelog
+* Wed Aug 27 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.16
+- Resolves: CVE-2008-3282 numeric truncation error in OOo memory allocator
+
 * Tue Jun 10 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.15
 - Resolves: rhbz#450650 CVE-2008-2152
 


