From b37a88c3080fc72f5f0ff9068bc71098be70ed11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1szl=C3=B3=20N=C3=A9meth?= Date: Fri, 26 Sep 2014 15:54:44 +0200 Subject: [PATCH] Hunspell: fix buffer overflow during morphological analysis MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit affected: thesaurus usage in a Hungarian document test case: press Ctrl+F7 on the word "művészegyéniség" Change-Id: I024568e81265c4ce3e05f718bf9147229416ab73 --- external/hunspell/UnpackedTarball_hunspell.mk | 1 + .../hunspell/hunspell-morph-overflow.patch | 30 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 external/hunspell/hunspell-morph-overflow.patch diff --git a/external/hunspell/UnpackedTarball_hunspell.mk b/external/hunspell/UnpackedTarball_hunspell.mk index 96c85bb70801..9acfd9576d2f 100644 --- a/external/hunspell/UnpackedTarball_hunspell.mk +++ b/external/hunspell/UnpackedTarball_hunspell.mk @@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hunspell,\ external/hunspell/hunspell-1.3.2-nullptr.patch \ external/hunspell/hunspell-1.3.2-literal.patch \ external/hunspell/hunspell-fdo48017-wfopen.patch \ + external/hunspell/hunspell-morph-overflow.patch \ )) ifeq ($(COM),MSC) diff --git a/external/hunspell/hunspell-morph-overflow.patch b/external/hunspell/hunspell-morph-overflow.patch new file mode 100644 index 000000000000..fe7c4f72530d --- /dev/null +++ b/external/hunspell/hunspell-morph-overflow.patch @@ -0,0 +1,30 @@ +--- hunspell/src/hunspell/affixmgr.cxx 2014-09-24 16:11:10.750421303 +0200 ++++ build/hunspell/src/hunspell/affixmgr.cxx 2014-09-26 15:25:09.448688908 +0200 +@@ -2400,8 +2400,10 @@ + } + mystrcat(*result, presult, MAXLNLEN); + if (m || (*m != '\0')) { +- sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD, ++ char m2[MAXLNLEN]; ++ sprintf(m2, "%c%s%s%s", MSEP_FLD, + MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC)); ++ mystrcat(*result, m2, MAXLNLEN); + } + if (m) free(m); + mystrcat(*result, "\n", MAXLNLEN); +@@ -2481,11 +2483,13 @@ + } + mystrcat(*result, presult, MAXLNLEN); + if (m && (*m != '\0')) { +- sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD, ++ char m2[MAXLNLEN]; ++ sprintf(m2, "%c%s%s%s", MSEP_FLD, + MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC)); ++ mystrcat(*result, m2, MAXLNLEN); + } + if (m) free(m); +- sprintf(*result + strlen(*result), "%c", MSEP_REC); ++ if (strlen(*result) + 1 < MAXLNLEN) sprintf(*result + strlen(*result), "%c", MSEP_REC); + ok = 1; + } +