1
Description: Fix wv2 buffer overflow
3
calligra (1:2.4.0-0ubuntu2.1) precise-security; urgency=high
7
* Fix buffer overflow in embedded copy of wv2 MS Word filter (LP: #1032934)
8
See http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf
9
page 40 for details on the attack
10
Author: Cyrille Berger Skott <cberger@cberger.net>
11
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1032934)
13
Forwarded: <not-needed>
14
Reviewed-By: Scott Kitterman <scott@kitterman.com>
15
Last-Update: <2012-08-04>
18
--- calligra-2.4.0.orig/filters/words/msword-odf/wv2/src/styles.cpp
19
+++ calligra-2.4.0/filters/words/msword-odf/wv2/src/styles.cpp
20
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
21
#ifdef WV2_DEBUG_STYLESHEET
22
wvlog << "cbUPX: " << cbUPX << endl;
24
+ // do not overflow the allocated buffer grupx
25
+ if (offset + cbUPX > grupxLen) {
26
+ wvlog << "====> Error: grupx would overflow!" << endl;
29
for ( U16 j = 0; j < cbUPX; ++j ) {
30
grupx[ offset + j ] = stream->readU8(); // read the whole UPX
31
#ifdef WV2_DEBUG_STYLESHEET