← Back to branch summary

~smartboyhw/ubuntu/raring/calligra/2.6.0-0ubuntu1

« back to all changes in this revision

Viewing changes to debian/patches/wv2_buffer_overflow_fix.diff

  • Committer: Package Import Robot
  • Author(s): Jonathan Riddell
  • Date: 2012-08-08 11:05:31 UTC
  • mfrom: (1.1.9)
  • Revision ID: package-import@ubuntu.com-20120808110531-43wco1j5sdm8n47s
Tags: 1:2.5.0-0ubuntu1
New upstream release

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/wv2_buffer_overflow_fix.diff
1
 
Description: Fix wv2 buffer overflow
2
 
 .
3
 
 calligra (1:2.4.0-0ubuntu2.1) precise-security; urgency=high
4
 
 .
5
 
   * SECURITY UPDATE:
6
 
   * References
7
 
   * Fix buffer overflow in embedded copy of wv2 MS Word filter (LP: #1032934)
8
 
 See http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf
9
 
 page 40 for details on the attack
10
 
Author: Cyrille Berger Skott <cberger@cberger.net>
11
 
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1032934)
12
 
Origin: <upstream>
13
 
Forwarded: <not-needed>
14
 
Reviewed-By: Scott Kitterman <scott@kitterman.com>
15
 
Last-Update: <2012-08-04>
16
 
 
17
 
 
18
 
--- calligra-2.4.0.orig/filters/words/msword-odf/wv2/src/styles.cpp
19
 
+++ calligra-2.4.0/filters/words/msword-odf/wv2/src/styles.cpp
20
 
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
21
 
 #ifdef WV2_DEBUG_STYLESHEET
22
 
         wvlog << "cbUPX: " << cbUPX << endl;
23
 
 #endif
24
 
+        // do not overflow the allocated buffer grupx
25
 
+        if (offset + cbUPX > grupxLen) {
26
 
+            wvlog << "====> Error: grupx would overflow!" << endl;
27
 
+            return false;
28
 
+        }
29
 
         for ( U16 j = 0; j < cbUPX; ++j ) {
30
 
             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
31
 
 #ifdef WV2_DEBUG_STYLESHEET