Resolves: rhbz#1461763 CVE-2017-9433 Out-of-bounds write in the MsWrd1Parser::readFootnoteCorrespondence function

8 years ago · 2d9f671072
parent 178e297aae
commit 2d9f671072
2 changed files with 32 additions and 1 deletions
--- a/0001-ofz-1037-resize-vector-correctly.patch
+++ b/0001-ofz-1037-resize-vector-correctly.patch
@ -0,0 +1,25 @@
+From 68b3b74569881248bfb6cbb4266177cc253b292f Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Sat, 8 Apr 2017 14:03:29 +0200
+Subject: [PATCH] ofz#1037 resize vector correctly
+
+---
+ src/lib/MsWrd1Parser.cxx | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/MsWrd1Parser.cxx b/src/lib/MsWrd1Parser.cxx
+index 63547e6..3626064 100644
+--- a/src/lib/MsWrd1Parser.cxx
+++ b/src/lib/MsWrd1Parser.cxx
+@@ -902,7 +902,7 @@ bool MsWrd1Parser::readFootnoteCorrespondance(MWAWVec2i limits)
+     int id = fIt++->second;
+     fPos[1] = fIt==footnoteMap.end() ? m_state->m_eot : fIt->first;
+     if (id >= int(m_state->m_footnotesList.size()))
+-      m_state->m_footnotesList.resize(size_t(id),MWAWVec2l(0,0));
+      m_state->m_footnotesList.resize(size_t(id)+1,MWAWVec2l(0,0));
+     m_state->m_footnotesList[size_t(id)]=fPos;
+   }
+   ascii().addDelimiter(input->tell(),'|');
+-- 
+2.13.0
+
--- a/libmwaw.spec
+++ b/libmwaw.spec
@ -2,13 +2,15 @@

 Name: libmwaw
 Version: 0.3.11
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: A library for import of many old Mac document formats

 License: LGPLv2+ or MPLv2.0
 URL: http://sourceforge.net/projects/libmwaw/
 Source: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz

+Patch0: 0001-ofz-1037-resize-vector-correctly.patch
+
 BuildRequires: doxygen
 BuildRequires: help2man
 BuildRequires: pkgconfig(librevenge-0.0)
@ -104,6 +106,10 @@ install -m 0644 mwaw2*.1 %{buildroot}/%{_mandir}/man1
 %{_mandir}/man1/mwaw2text.1*

 %changelog
+* Thu Jun 15 2017 David Tardon <dtardon@redhat.com> - 0.3.11-3
+- Resolves: rhbz#1461763 CVE-2017-9433 Out-of-bounds write in the
+  MsWrd1Parser::readFootnoteCorrespondence function
+
 * Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild