Hunspell: fix buffer overflow during morphological analysis

affected: thesaurus usage in a Hungarian document

test case: press Ctrl+F7 on the word "művészegyéniség"

Change-Id: I024568e81265c4ce3e05f718bf9147229416ab73
This commit is contained in:
László Németh 2014-09-26 15:54:44 +02:00
parent bcded18043
commit b37a88c308
2 changed files with 31 additions and 0 deletions

View file

@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hunspell,\
external/hunspell/hunspell-1.3.2-nullptr.patch \
external/hunspell/hunspell-1.3.2-literal.patch \
external/hunspell/hunspell-fdo48017-wfopen.patch \
external/hunspell/hunspell-morph-overflow.patch \
))
ifeq ($(COM),MSC)

View file

@ -0,0 +1,30 @@
--- hunspell/src/hunspell/affixmgr.cxx 2014-09-24 16:11:10.750421303 +0200
+++ build/hunspell/src/hunspell/affixmgr.cxx 2014-09-26 15:25:09.448688908 +0200
@@ -2400,8 +2400,10 @@
}
mystrcat(*result, presult, MAXLNLEN);
if (m || (*m != '\0')) {
- sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
+ char m2[MAXLNLEN];
+ sprintf(m2, "%c%s%s%s", MSEP_FLD,
MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
+ mystrcat(*result, m2, MAXLNLEN);
}
if (m) free(m);
mystrcat(*result, "\n", MAXLNLEN);
@@ -2481,11 +2483,13 @@
}
mystrcat(*result, presult, MAXLNLEN);
if (m && (*m != '\0')) {
- sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
+ char m2[MAXLNLEN];
+ sprintf(m2, "%c%s%s%s", MSEP_FLD,
MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
+ mystrcat(*result, m2, MAXLNLEN);
}
if (m) free(m);
- sprintf(*result + strlen(*result), "%c", MSEP_REC);
+ if (strlen(*result) + 1 < MAXLNLEN) sprintf(*result + strlen(*result), "%c", MSEP_REC);
ok = 1;
}