← Back to branch summary

~smartboyhw/ubuntu/raring/calligra/2.6.0-0ubuntu1

« back to all changes in this revision

Viewing changes to debian/patches/wv2_buffer_overflow_fix.diff

  • Committer: Package Import Robot
  • Author(s): Scott Kitterman
  • Date: 2012-08-04 06:03:11 UTC
  • Revision ID: package-import@ubuntu.com-20120804060311-hrum2v2v4rvt9cwz
Tags: 1:2.4.92-0ubuntu2
https://launchpad.net/bugs/1032934
* SECURITY UPDATE:
* References See patch header
* Add debian/patches/wv2_buffer_overflow_fix.diff to fix buffer overflow in
  embedded copy of wv2 MS Word filter (LP: #1032934)

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/wv2_buffer_overflow_fix.diff
 
1
Description: Fix wv2 buffer overflow
 
2
 .
 
3
 calligra (1:2.4.0-0ubuntu2.1) precise-security; urgency=high
 
4
 .
 
5
   * SECURITY UPDATE:
 
6
   * References
 
7
   * Fix buffer overflow in embedded copy of wv2 MS Word filter (LP: #1032934)
 
8
 See http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf
 
9
 page 40 for details on the attack
 
10
Author: Cyrille Berger Skott <cberger@cberger.net>
 
11
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1032934)
 
12
Origin: <upstream>
 
13
Forwarded: <not-needed>
 
14
Reviewed-By: Scott Kitterman <scott@kitterman.com>
 
15
Last-Update: <2012-08-04>
 
16
 
 
17
 
 
18
--- calligra-2.4.0.orig/filters/words/msword-odf/wv2/src/styles.cpp
 
19
+++ calligra-2.4.0/filters/words/msword-odf/wv2/src/styles.cpp
 
20
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
 
21
 #ifdef WV2_DEBUG_STYLESHEET
 
22
         wvlog << "cbUPX: " << cbUPX << endl;
 
23
 #endif
 
24
+        // do not overflow the allocated buffer grupx
 
25
+        if (offset + cbUPX > grupxLen) {
 
26
+            wvlog << "====> Error: grupx would overflow!" << endl;
 
27
+            return false;
 
28
+        }
 
29
         for ( U16 j = 0; j < cbUPX; ++j ) {
 
30
             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
 
31
 #ifdef WV2_DEBUG_STYLESHEET