Pullup ticket #2508 - requested by hira

openoffice2: security patch

Revisions pulled up:
- misc/openoffice2/Makefile		1.48
- misc/openoffice2/distinfo		1.41
- misc/openoffice2/patches/patch-de	1.1
---
Module Name:	pkgsrc
Committed By:	hira
Date:		Fri Aug 29 08:08:11 UTC 2008

Modified Files:
	pkgsrc/misc/openoffice2: Makefile distinfo
Added Files:
	pkgsrc/misc/openoffice2/patches: patch-de

Log Message:
Fix CVE-2008-3282 (OpenOffice.org "rtl_allocateMemory()" Truncation
Vulnerability).

Bump PKGREVISION.

3 files changed, 43 insertions, 2 deletions

diff --git a/misc/openoffice2/Makefile b/misc/openoffice2/Makefile
index fab285745ae..067d132761c 100644
--- a/misc/openoffice2/Makefile
+++ b/misc/openoffice2/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.47 2008/06/13 11:20:14 hira Exp $
+# $NetBSD: Makefile,v 1.47.4.1 2008/08/30 18:46:33 tron Exp $
 #
 
 OO_VER=			2.4.1
+PKGREVISION=		1
 DISTNAME=		openoffice-${OO_VER}
 PKGNAME=		openoffice2-${OO_VER}
 CATEGORIES=		misc
diff --git a/misc/openoffice2/distinfo b/misc/openoffice2/distinfo
index c71d68a2f63..4afccef670b 100644
--- a/misc/openoffice2/distinfo
+++ b/misc/openoffice2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2008/06/13 11:20:14 hira Exp $
+$NetBSD: distinfo,v 1.40.4.1 2008/08/30 18:46:33 tron Exp $
 
 SHA1 (openoffice-2.4.1/OOo_2.4.1_src_binfilter.tar.bz2) = a50c7f317643b756c2b0e8937fa9d64b99f05ed9
 RMD160 (openoffice-2.4.1/OOo_2.4.1_src_binfilter.tar.bz2) = 04ffce167f94a250f94f05923a70af0b0744c417
@@ -66,3 +66,4 @@ SHA1 (patch-cy) = 8d47bcf1da6f351f4f0cbf6a8355903094b0baee
 SHA1 (patch-da) = c2c9332dcf22d2d201215813ac9fc7e7ac401c6d
 SHA1 (patch-dc) = 125ae2e943946cb96c6f7513dccced0c9d8797af
 SHA1 (patch-dd) = 6f791b6be13e37a59b3115ab338587489079b89d
+SHA1 (patch-de) = 138fbea73fec80c744c3eede57dfe5f1cddef573
diff --git a/misc/openoffice2/patches/patch-de b/misc/openoffice2/patches/patch-de
new file mode 100644
index 00000000000..70a044d6d33
--- /dev/null
+++ b/misc/openoffice2/patches/patch-de
@@ -0,0 +1,39 @@
+$NetBSD: patch-de,v 1.1.2.2 2008/08/30 18:46:33 tron Exp $
+
+Fix CVE-2008-3282.
+
+--- sal/rtl/source/alloc_global.c.orig	2008-05-21 21:53:26.000000000 +0900
++++ sal/rtl/source/alloc_global.c	2008-08-29 08:18:14.000000000 +0900
+@@ -214,9 +214,7 @@
+ 		char *     addr;
+ 		sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
+ 
+-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+ 		OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
+-
+ 		if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
+ 		{
+ 			/* requested size too large for roundup alignment */
+@@ -224,8 +222,8 @@
+ 		}
+ 
+ try_alloc:
+-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-			addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
++		if (size <= RTL_MEMORY_CACHED_LIMIT)
++			addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
+ 		else
+ 			addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
+ 
+@@ -255,9 +253,8 @@
+ 		char *   addr = (char*)(p) - RTL_MEMALIGN;
+ 		sal_Size size = ((sal_Size*)(addr))[0];
+ 
+-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-			rtl_cache_free (g_alloc_table[index], addr);
++		if (size <= RTL_MEMORY_CACHED_LIMIT)
++			rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
+ 		else
+ 			rtl_arena_free (gp_alloc_arena, addr, size);
+ 	}