- Fix CVE-2007-2834 (Manipulated TIFF files can lead to heap

   overflows and arbitrary code execution).
 - Use internal libwpd (fix buildlink error of gnome-vfs).

Bump PKGREVISION.

3 files changed, 108 insertions, 5 deletions

diff --git a/misc/openoffice2/Makefile b/misc/openoffice2/Makefile
index aa5b953d858..caaca28c578 100644
--- a/misc/openoffice2/Makefile
+++ b/misc/openoffice2/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2007/09/21 13:04:03 wiz Exp $
+# $NetBSD: Makefile,v 1.24 2007/09/30 12:27:40 hira Exp $
 #
 
 OO_VER=			2.2.1
 DISTNAME=		openoffice-${OO_VER}
 PKGNAME=		openoffice2-${OO_VER}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		misc
 MASTER_SITES=		${MASTER_SITE_OPENOFFICE:=stable/${OO_VER}/}
 DIST_SUBDIR=		${DISTNAME}
@@ -55,7 +55,6 @@ CONFIGURE_ARGS+=	--enable-binfilter
 CONFIGURE_ARGS+=	--enable-cairo
 CONFIGURE_ARGS+=	--disable-ldap
 CONFIGURE_ARGS+=	--with-system-freetype
-CONFIGURE_ARGS+=	--with-system-libwpd
 
 # `portable' supports all platforms.
 CONFIGURE_ARGS+=	--enable-epm --with-package-format=portable
@@ -142,7 +141,6 @@ ARCH=	${MACHINE_ARCH:C/i[3-6]86/i386/g}
 .  include "Makefile.${OPSYS}.${ARCH}"
 .endif
 
-.include "../../converters/libwpd/buildlink3.mk"
 .include "../../fonts/fontconfig/buildlink3.mk"
 .include "../../graphics/MesaLib/buildlink3.mk"
 .include "../../graphics/cairo/buildlink3.mk"
diff --git a/misc/openoffice2/distinfo b/misc/openoffice2/distinfo
index f5e5c1a8069..7e974530bda 100644
--- a/misc/openoffice2/distinfo
+++ b/misc/openoffice2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2007/06/22 03:52:20 hira Exp $
+$NetBSD: distinfo,v 1.21 2007/09/30 12:27:40 hira Exp $
 
 SHA1 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = aa2c316e0fab13a25c07c2cfd0eafb7a50c96678
 RMD160 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = a6194849bb8e2130709a7ff769a8e751a43f86c6
@@ -61,3 +61,4 @@ SHA1 (patch-ch) = bcfeb99318a16e83f2e54fb94d275224c67182fb
 SHA1 (patch-ci) = 2861e8a4b21977cbc8abeabe4581093e966cdfa7
 SHA1 (patch-cj) = c54fd98e5302a86ec849b90c617ebfcf339c936d
 SHA1 (patch-cn) = 67afccde1d7bfa42ec4082067189da23ada97190
+SHA1 (patch-co) = cb8f2a38185a66f20f891946de7b0fba22bde481
diff --git a/misc/openoffice2/patches/patch-co b/misc/openoffice2/patches/patch-co
new file mode 100644
index 00000000000..db58fab3aa1
--- /dev/null
+++ b/misc/openoffice2/patches/patch-co
@@ -0,0 +1,104 @@
+$NetBSD: patch-co,v 1.1 2007/09/30 12:27:40 hira Exp $
+
+NOTE: This patch fixes CVE-2007-2834.  It's already fixed in OOo 2.3.0.
+
+--- goodies/source/filter.vcl/itiff/itiff.cxx.orig	2006-11-15 01:17:15.000000000 +0900
++++ goodies/source/filter.vcl/itiff/itiff.cxx	2007-09-30 18:12:19.000000000 +0900
+@@ -4,9 +4,9 @@
+  *
+  *  $RCSfile: patch-co,v $
+  *
+- *  $Revision: 1.1 $
++ *  $Revision: 1.1 $
+  *
+- *  last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
++ *  last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
+  *
+  *  The Contents of this file are made available subject to
+  *  the terms of GNU Lesser General Public License Version 2.1.
+@@ -132,7 +132,7 @@
+ 	double	ReadDoubleData();
+ 
+ 	void	ReadHeader();
+-	void	ReadTagData( USHORT nTagType, ULONG nDataLen );
++	void	ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
+ 
+ 	BOOL	ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
+ 		// Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
+@@ -290,7 +290,7 @@
+ 
+ // ---------------------------------------------------------------------------------
+ 
+-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
++void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
+ {
+ 	if ( bStatus == FALSE )
+ 		return;
+@@ -353,16 +353,25 @@
+ 		case 0x0111: { // Strip Offset(s)
+ 			ULONG nOldNumSO, i, * pOldSO;
+ 			pOldSO = pStripOffsets;
+-			if ( pOldSO == NULL ) nNumStripOffsets = 0;	// Sicherheitshalber
++			if ( pOldSO == NULL )
++				nNumStripOffsets = 0;
+ 			nOldNumSO = nNumStripOffsets;
+-			nNumStripOffsets += nDataLen;
+-			pStripOffsets = new ULONG[ nNumStripOffsets ];
+-			for ( i = 0; i < nOldNumSO; i++ )
+-				pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+-			for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+-				pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+-			if ( pOldSO != NULL )
++			nDataLen += nOldNumSO;
++			if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++			{
++				nNumStripOffsets = nDataLen;
++				pStripOffsets = new ULONG[ nNumStripOffsets ];
++				if ( !pStripOffsets )
++					nNumStripOffsets = 0;
++				else
++				{
++					for ( i = 0; i < nOldNumSO; i++ )
++						pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
++					for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
++						pStripOffsets[ i ] = ReadIntData() + nOrigPos;
++				}
+ 				delete[] pOldSO;
++			}
+ 			OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
+ 			break;
+ 		}
+@@ -384,16 +393,25 @@
+ 		case 0x0117: { // Strip Byte Counts
+ 			ULONG nOldNumSBC, i, * pOldSBC;
+ 			pOldSBC = pStripByteCounts;
+-			if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
++			if ( pOldSBC == NULL )
++				nNumStripByteCounts = 0; // Sicherheitshalber
+ 			nOldNumSBC = nNumStripByteCounts;
+-			nNumStripByteCounts += nDataLen;
+-			pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+-			for ( i = 0; i < nOldNumSBC; i++ )
+-				pStripByteCounts[ i ] = pOldSBC[ i ];
+-			for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+-				pStripByteCounts[ i ] = ReadIntData();
+-			if ( pOldSBC != NULL )
++			nDataLen += nOldNumSBC;
++			if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++			{		
++				nNumStripByteCounts = nDataLen;
++				pStripByteCounts = new ULONG[ nNumStripByteCounts ];
++				if ( !nNumStripByteCounts )
++					nNumStripByteCounts = 0;
++				else
++				{
++					for ( i = 0; i < nOldNumSBC; i++ )
++						pStripByteCounts[ i ] = pOldSBC[ i ];
++					for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
++						pStripByteCounts[ i ] = ReadIntData();
++				}
+ 				delete[] pOldSBC;
++			}
+ 			OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
+ 			break;
+ 		}