--Boundary-00=_jBNZFu7w8Zc2LsK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, I have uploaded the new package. And you can find in attachement the patch. The release is push to Wednesday 29 On Wednesday 22 November 2006 13:32, Cyrille Berger wrote: > Hi, > > Following a security threat affecting the 1.4.x and 1.6.x (and not 1.5.x) > versions of KOffice, I will recreate tonight a tarball and provide a patch > between the previous tarball and this one for those of you who prefer. > > This release is so cursed :'( > > Sorry for the inconvenient. -- --- Cyrille Berger --- --Boundary-00=_jBNZFu7w8Zc2LsK Content-Type: text/x-diff; charset="iso-8859-1"; name="koffice-ole-filter.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="koffice-ole-filter.patch" diff -uNrp koffice-1.4.1/filters/olefilters/lib/klaola.cc koffice-1.4.1-kees/filters/olefilters/lib/klaola.cc --- koffice-1.4.1/filters/olefilters/lib/klaola.cc 2005-07-19 07:09:30.000000000 -0700 +++ koffice-1.4.1-kees/filters/olefilters/lib/klaola.cc 2006-11-21 16:02:08.000000000 -0800 @@ -197,11 +197,21 @@ bool KLaola::parseHeader() { num_of_bbd_blocks=read32(0x2c); root_startblock=read32(0x30); sbd_startblock=read32(0x3c); + + if (num_of_bbd_blocks >= 0x800000) { + kdError(s_area) << "KLaola::parseHeader(): Too many bbd blocks found in header!" << endl; + return false; + } bbd_list=new unsigned int[num_of_bbd_blocks]; unsigned int i, j; - for(i=0, j=0; i= (0x800000 - 1)) { + kdError(s_area) << "KLaola::parseHeader(): bbd " << i << " offset (" << bbd_list[i] << ") too large" << endl; + return false; + } + } return true; } @@ -283,7 +293,8 @@ const unsigned char *KLaola::readBBStrea unsigned char *p=0; tmp=start; - while(tmp!=-2 && tmp>=0 && tmp<=static_cast(maxblock)) { + /* 0x10000 chosen as arbitrary "too many blocks" limit to not loop forver */ + while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast(maxblock)) { ++i; tmp=nextBigBlock(tmp); } @@ -293,7 +304,7 @@ const unsigned char *KLaola::readBBStrea maxSblock=i*8-1; i=0; tmp=start; - while(tmp!=-2 && tmp>=0 && tmp<=static_cast(maxblock)) { + while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast(maxblock)) { memcpy(&p[i*0x200], &m_file.data[(tmp+1)*0x200], 0x200); tmp=nextBigBlock(tmp); ++i; @@ -308,7 +319,8 @@ const unsigned char *KLaola::readSBStrea unsigned char *p=0; tmp=start; - while(tmp!=-2 && tmp>=0 && tmp<=static_cast(maxSblock)) { + /* 0x10000 chosen as arbitrary "too many blocks" limit to not loop forver */ + while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast(maxSblock)) { ++i; tmp=nextSmallBlock(tmp); } @@ -316,7 +328,7 @@ const unsigned char *KLaola::readSBStrea p=new unsigned char[i*0x40]; i=0; tmp=start; - while(tmp!=-2 && tmp>=0 && tmp<=static_cast(maxSblock)) { + while(tmp!=-2 && tmp>=0 && i<0x10000 && tmp<=static_cast(maxSblock)) { memcpy(&p[i*0x40], &smallBlockFile[tmp*0x40], 0x40); tmp=nextSmallBlock(tmp); ++i; @@ -326,10 +338,20 @@ const unsigned char *KLaola::readSBStrea } void KLaola::readBigBlockDepot() { + if (num_of_bbd_blocks >= 0x800000) + return; bigBlockDepot=new unsigned char[0x200*num_of_bbd_blocks]; - for(unsigned int i=0; i m_file.length - 0x200) { + /* attempting to read past end of file */ + memset(&bigBlockDepot[i*0x200], 0, 0x200); + } + else { + memcpy(&bigBlockDepot[i*0x200], &m_file.data[offset], 0x200); + } + } } void KLaola::readSmallBlockDepot() { --Boundary-00=_jBNZFu7w8Zc2LsK Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ koffice-devel mailing list koffice-devel@kde.org https://mail.kde.org/mailman/listinfo/koffice-devel --Boundary-00=_jBNZFu7w8Zc2LsK--