Overview

File bnc-774533-koffice-msword-overflow-fix.diff of Package koffice2.openSUSE_12.1_Update

commit 8652ab672eaaa145dfb3782f5011de58aa4cc046
Author: Thorsten Zachmann <t.zachmann@zagge.de>
Date:   Sat Aug 4 06:42:14 2012 +0200

    Make sure not to write behind the allocated memory
    
    Validate the input data to not write behind the allocated memory. This fixes a
    buffer overflow found by Charlie Miller.

diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
index 02a82a0..78ac31d 100644
--- a/filters/kword/msword-odf/wv2/src/styles.cpp
+++ b/filters/kword/msword-odf/wv2/src/styles.cpp
@@ -248,6 +248,11 @@ throw(InvalidFormatException)
 #ifdef WV2_DEBUG_STYLESHEET
         wvlog << "cbUPX: " << cbUPX << endl;
 #endif
+        // do not overflow the allocated buffer grupx
+        if (offset + cbUPX > grupxLen) {
+            wvlog << "====> Error: grupx would overflow!" << endl;
+            return false;
+        }
         for ( U16 j = 0; j < cbUPX; ++j ) {
             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
 #ifdef WV2_DEBUG_STYLESHEET
openSUSE Build Service is sponsored by
Places