1 files changed, 39 insertions, 0 deletions

diff --git a/misc/openoffice2/patches/patch-de b/misc/openoffice2/patches/patch-de
new file mode 100644
index 00000000000..70a044d6d33
--- /dev/null
+++ b/misc/openoffice2/patches/patch-de
@@ -0,0 +1,39 @@
+$NetBSD: patch-de,v 1.1.2.2 2008/08/30 18:46:33 tron Exp $
+
+Fix CVE-2008-3282.
+
+--- sal/rtl/source/alloc_global.c.orig	2008-05-21 21:53:26.000000000 +0900
++++ sal/rtl/source/alloc_global.c	2008-08-29 08:18:14.000000000 +0900
+@@ -214,9 +214,7 @@
+ 		char *     addr;
+ 		sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
+ 
+-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+ 		OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
+-
+ 		if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
+ 		{
+ 			/* requested size too large for roundup alignment */
+@@ -224,8 +222,8 @@
+ 		}
+ 
+ try_alloc:
+-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-			addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
++		if (size <= RTL_MEMORY_CACHED_LIMIT)
++			addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
+ 		else
+ 			addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
+ 
+@@ -255,9 +253,8 @@
+ 		char *   addr = (char*)(p) - RTL_MEMALIGN;
+ 		sal_Size size = ((sal_Size*)(addr))[0];
+ 
+-		int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+-		if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-			rtl_cache_free (g_alloc_table[index], addr);
++		if (size <= RTL_MEMORY_CACHED_LIMIT)
++			rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
+ 		else
+ 			rtl_arena_free (gp_alloc_arena, addr, size);
+ 	}