diff options
Diffstat (limited to 'misc/openoffice2/patches/patch-de')
-rw-r--r-- | misc/openoffice2/patches/patch-de | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/misc/openoffice2/patches/patch-de b/misc/openoffice2/patches/patch-de new file mode 100644 index 00000000000..70a044d6d33 --- /dev/null +++ b/misc/openoffice2/patches/patch-de @@ -0,0 +1,39 @@ +$NetBSD: patch-de,v 1.1.2.2 2008/08/30 18:46:33 tron Exp $ + +Fix CVE-2008-3282. + +--- sal/rtl/source/alloc_global.c.orig 2008-05-21 21:53:26.000000000 +0900 ++++ sal/rtl/source/alloc_global.c 2008-08-29 08:18:14.000000000 +0900 +@@ -214,9 +214,7 @@ + char * addr; + sal_Size size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN); + +- int index = (size - 1) >> RTL_MEMALIGN_SHIFT; + OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size)); +- + if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1)) + { + /* requested size too large for roundup alignment */ +@@ -224,8 +222,8 @@ + } + + try_alloc: +- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT) +- addr = (char*)rtl_cache_alloc (g_alloc_table[index]); ++ if (size <= RTL_MEMORY_CACHED_LIMIT) ++ addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]); + else + addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size); + +@@ -255,9 +253,8 @@ + char * addr = (char*)(p) - RTL_MEMALIGN; + sal_Size size = ((sal_Size*)(addr))[0]; + +- int index = (size - 1) >> RTL_MEMALIGN_SHIFT; +- if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT) +- rtl_cache_free (g_alloc_table[index], addr); ++ if (size <= RTL_MEMORY_CACHED_LIMIT) ++ rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr); + else + rtl_arena_free (gp_alloc_arena, addr, size); + } |