AOO410/ext_libraries/hunspell/hunspell-1.3.2-overflow.patch - openoffice - Git at Google

 --- misc/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2010-02-27 12:59:53.000000000 +0100
 +++ misc/build/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2011-05-18 16:29:45.919141893 +0200
 @@ -6,6 +6,8 @@
  #include <stdio.h>
  #include <ctype.h>

 +#include <limits>
 +
  #include "affixmgr.hxx"
  #include "affentry.hxx"
  #include "langnum.hxx"
 @@ -4000,7 +4002,10 @@
               case 3: {
                         np++;
                         numents = atoi(piece);
 -                       if (numents == 0) {
 +                       if ((numents <= 0) ||
 +                           ((::std::numeric_limits<size_t>::max()
 +                                / sizeof(struct affentry)) < numents))
 +                       {
                             char * err = pHMgr->encode_flag(aflag);
                             if (err) {
                                  HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n",
 --- misc/hunspell-1.3.2/src/tools/munch.c	2010-02-27 21:49:49.000000000 +0100
 +++ misc/build/hunspell-1.3.2/src/tools/munch.c	2011-05-18 15:53:53.427072106 +0200
 @@ -4,6 +4,7 @@
  #include <string.h>
  #include <unistd.h>
  #include <stdlib.h>
 +#include <stdint.h>
  #include <stdio.h>
  #include <sys/types.h>
  #include <sys/stat.h>
 @@ -233,10 +233,19 @@
                      case 1: { achar = *piece; break; }
                      case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
                      case 3: { numents = atoi(piece);
 -                              ptr = malloc(numents * sizeof(struct affent));
 -                              ptr->achar = achar;
 -                              ptr->xpflg = ff;
 -	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
 +                              if ((numents < 0) ||
 +                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
 +                              {
 +                                 fprintf(stderr,
 +                                     "Error: too many entries: %d\n", numents);
 +                                 numents = 0;
 +                              } else {
 +                                 ptr = malloc(numents * sizeof(struct affent));
 +                                 ptr->achar = achar;
 +                                 ptr->xpflg = ff;
 +                                 fprintf(stderr,"parsing %c entries %d\n",
 +                                         achar,numents);
 +                              }
                                break;
                              }
  		    default: break;
 --- misc/hunspell-1.3.2/src/tools/unmunch.c	2010-02-23 15:53:29.000000000 +0100
 +++ misc/build/hunspell-1.3.2/src/tools/unmunch.c	2011-05-18 20:53:43.843599726 +0200
 @@ -6,6 +6,7 @@
  #include <string.h>
  #include <unistd.h>
  #include <stdlib.h>
 +#include <stdint.h>
  #include <stdio.h>
  #include <sys/types.h>
  #include <sys/stat.h>
 @@ -158,10 +159,19 @@
                      case 1: { achar = *piece; break; }
                      case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
                      case 3: { numents = atoi(piece);
 -                              ptr = malloc(numents * sizeof(struct affent));
 -                              ptr->achar = achar;
 -                              ptr->xpflg = ff;
 -	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
 +                              if ((numents < 0) ||
 +                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
 +                              {
 +                                 fprintf(stderr,
 +                                     "Error: too many entries: %d\n", numents);
 +                                 numents = 0;
 +                              } else {
 +                                 ptr = malloc(numents * sizeof(struct affent));
 +                                 ptr->achar = achar;
 +                                 ptr->xpflg = ff;
 +                                 fprintf(stderr,"parsing %c entries %d\n",
 +                                         achar,numents);
 +                              }
                                break;
                              }
  		    default: break;
	--- misc/hunspell-1.3.2/src/hunspell/affixmgr.cxx 2010-02-27 12:59:53.000000000 +0100
	+++ misc/build/hunspell-1.3.2/src/hunspell/affixmgr.cxx 2011-05-18 16:29:45.919141893 +0200
	@@ -6,6 +6,8 @@
	#include <stdio.h>
	#include <ctype.h>

	+#include <limits>
	+
	#include "affixmgr.hxx"
	#include "affentry.hxx"
	#include "langnum.hxx"
	@@ -4000,7 +4002,10 @@
	case 3: {
	np++;
	numents = atoi(piece);
	- if (numents == 0) {
	+ if ((numents <= 0) \|\|
	+ ((::std::numeric_limits<size_t>::max()
	+ / sizeof(struct affentry)) < numents))
	+ {
	char * err = pHMgr->encode_flag(aflag);
	if (err) {
	HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n",
	--- misc/hunspell-1.3.2/src/tools/munch.c 2010-02-27 21:49:49.000000000 +0100
	+++ misc/build/hunspell-1.3.2/src/tools/munch.c 2011-05-18 15:53:53.427072106 +0200
	@@ -4,6 +4,7 @@
	#include <string.h>
	#include <unistd.h>
	#include <stdlib.h>
	+#include <stdint.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	@@ -233,10 +233,19 @@
	case 1: { achar = *piece; break; }
	case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
	case 3: { numents = atoi(piece);
	- ptr = malloc(numents * sizeof(struct affent));
	- ptr->achar = achar;
	- ptr->xpflg = ff;
	- fprintf(stderr,"parsing %c entries %d\n",achar,numents);
	+ if ((numents < 0) \|\|
	+ ((SIZE_MAX/sizeof(struct affent)) < numents))
	+ {
	+ fprintf(stderr,
	+ "Error: too many entries: %d\n", numents);
	+ numents = 0;
	+ } else {
	+ ptr = malloc(numents * sizeof(struct affent));
	+ ptr->achar = achar;
	+ ptr->xpflg = ff;
	+ fprintf(stderr,"parsing %c entries %d\n",
	+ achar,numents);
	+ }
	break;
	}
	default: break;
	--- misc/hunspell-1.3.2/src/tools/unmunch.c 2010-02-23 15:53:29.000000000 +0100
	+++ misc/build/hunspell-1.3.2/src/tools/unmunch.c 2011-05-18 20:53:43.843599726 +0200
	@@ -6,6 +6,7 @@
	#include <string.h>
	#include <unistd.h>
	#include <stdlib.h>
	+#include <stdint.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	@@ -158,10 +159,19 @@
	case 1: { achar = *piece; break; }
	case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
	case 3: { numents = atoi(piece);
	- ptr = malloc(numents * sizeof(struct affent));
	- ptr->achar = achar;
	- ptr->xpflg = ff;
	- fprintf(stderr,"parsing %c entries %d\n",achar,numents);
	+ if ((numents < 0) \|\|
	+ ((SIZE_MAX/sizeof(struct affent)) < numents))
	+ {
	+ fprintf(stderr,
	+ "Error: too many entries: %d\n", numents);
	+ numents = 0;
	+ } else {
	+ ptr = malloc(numents * sizeof(struct affent));
	+ ptr->achar = achar;
	+ ptr->xpflg = ff;
	+ fprintf(stderr,"parsing %c entries %d\n",
	+ achar,numents);
	+ }
	break;
	}
	default: break;