Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 112328 Details for
Bug 169675
app-text/libwpd 0.8.4 heap overflow (CVE-2007-0002, 1466)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to fix the issue
libwpd-heap-overflow.patch (text/plain), 2.19 KB, created by
Jonathan Smith (RETIRED)
on 2007-03-06 21:12:02 UTC
(
hide
)
Description:
patch to fix the issue
Filename:
MIME Type:
Creator:
Jonathan Smith (RETIRED)
Created:
2007-03-06 21:12:02 UTC
Size:
2.19 KB
patch
obsolete
>--- WP5DefinitionGroup.cpp 2006/11/14 14:52:45 1.5 >+++ WP5DefinitionGroup.cpp 2007/01/12 23:24:41 1.7 >@@ -26,7 +26,7 @@ > #include "WP5Listener.h" > #include "libwpd_internal.h" > >-WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input) : >+WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize) : > WP5VariableLengthGroup_SubGroup(), > m_position(0), > m_numColumns(0), >@@ -34,6 +34,7 @@ > m_leftGutter(0), > m_rightGutter(0) > { >+ long startPosition = input->tell(); > // Skip useless old values to read the old column number > input->seek(2, WPX_SEEK_CUR); > m_numColumns = readU16(input); >@@ -50,12 +51,26 @@ > input->seek(10, WPX_SEEK_CUR); > m_leftOffset = readU16(input); > int i; >+ if ((m_numColumns > 32) || ((input->tell() - startPosition + m_numColumns*5) > (subGroupSize - 4))) >+ throw FileException(); > for (i=0; i < m_numColumns; i++) >+ { >+ if (input->atEOS()) >+ throw FileException(); > m_columnWidth[i] = readU16(input); >+ } > for (i=0; i < m_numColumns; i++) >+ { >+ if (input->atEOS()) >+ throw FileException(); > m_attributeBits[i] = readU16(input); >+ } > for (i=0; i < m_numColumns; i++) >+ { >+ if (input->atEOS()) >+ throw FileException(); > m_columnAlignment[i] = readU8(input); >+ } > } > > void WP5DefinitionGroup_DefineTablesSubGroup::parse(WP5Listener *listener) >@@ -88,7 +103,7 @@ > switch(getSubGroup()) > { > case WP5_TOP_DEFINITION_GROUP_DEFINE_TABLES: >- m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input); >+ m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input, getSize()); > break; > default: > break; >--- WP5DefinitionGroup.h 2006/07/12 11:59:23 1.4 >+++ WP5DefinitionGroup.h 2007/01/11 16:57:59 1.5 >@@ -31,7 +31,7 @@ > class WP5DefinitionGroup_DefineTablesSubGroup : public WP5VariableLengthGroup_SubGroup > { > public: >- WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input); >+ WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize); > void parse(WP5Listener *listener); > > private: >@@ -58,7 +58,6 @@ > > private: > WP5VariableLengthGroup_SubGroup * m_subGroupData; >- > }; > > #endif /* WP5DEFINITIONGROUP_H */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=112328">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 169675
: 112328
