[SCM] Calligra suite packaging branch, master, updated. debian/2.4.2-3-11-g9226712

[Pino Toscano]

Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-std/calligra.git;a=commitdiff;h=9226712

The following commit has been merged in the master branch:
commit 922671281ec7548d0dc51448437aa18b85f10d4c
Author: Pino Toscano <pino at debian.org>
Date:   Mon Aug 6 11:24:45 2012 +0200

    fix a buffer overflow in the msword import filter (#684004)
    
    backport upstream commit 7d72f7dd8d28d18c59a08a7d43bd4e0654043103
---
 debian/changelog                                   |    6 ++++
 debian/patches/series                              |    1 +
 ...-not-to-write-behind-the-allocated-memory.patch |   31 ++++++++++++++++++++
 3 files changed, 38 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index dbd56eb..4487221 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,12 @@ calligra (1:2.4.3-2) UNRELEASED; urgency=low
   * Split the templates from calligra-data to the application's packages.
     (Closes: #682763)
 
+  [ Pino Toscano ]
+  * Backport upstream commit 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 to fix
+    a buffer overflow in the msword import filter; patch
+    upstream_Make-sure-not-to-write-behind-the-allocated-memory.patch.
+    (Closes: #684004)
+
  -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Mon, 02 Jul 2012 19:05:06 +0200
 
 calligra (1:2.4.3-1) unstable; urgency=low
diff --git a/debian/patches/series b/debian/patches/series
index 7dc314a..b3003c0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 do_not_link_blas.diff
+upstream_Make-sure-not-to-write-behind-the-allocated-memory.patch
diff --git a/debian/patches/upstream_Make-sure-not-to-write-behind-the-allocated-memory.patch b/debian/patches/upstream_Make-sure-not-to-write-behind-the-allocated-memory.patch
new file mode 100644
index 0000000..2ece095
--- /dev/null
+++ b/debian/patches/upstream_Make-sure-not-to-write-behind-the-allocated-memory.patch
@@ -0,0 +1,31 @@
+From 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 Mon Sep 17 00:00:00 2001
+From: Thorsten Zachmann <t.zachmann at zagge.de>
+Date: Sat, 4 Aug 2012 06:42:14 +0200
+Subject: [PATCH] Make sure not to write behind the allocated memory
+
+Validate the input data to not write behind the allocated memory. This fixes a
+buffer overflow found by Charlie Miller.
+(cherry picked from commit 8652ab672eaaa145dfb3782f5011de58aa4cc046)
+---
+ filters/words/msword-odf/wv2/src/styles.cpp |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
+index c3132f0..0d691f5 100644
+--- a/filters/words/msword-odf/wv2/src/styles.cpp
++++ b/filters/words/msword-odf/wv2/src/styles.cpp
+@@ -248,6 +248,11 @@ throw(InvalidFormatException)
+ #ifdef WV2_DEBUG_STYLESHEET
+         wvlog << "cbUPX: " << cbUPX << endl;
+ #endif
++        // do not overflow the allocated buffer grupx
++        if (offset + cbUPX > grupxLen) {
++            wvlog << "====> Error: grupx would overflow!" << endl;
++            return false;
++        }
+         for ( U16 j = 0; j < cbUPX; ++j ) {
+             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
+ #ifdef WV2_DEBUG_STYLESHEET
+-- 
+1.7.10.4
+

-- 
Calligra suite packaging