Hunspell: fix buffer overflow during morphological analysis

affected: thesaurus usage in a Hungarian document test case: press Ctrl+F7 on the word "művészegyéniség" Change-Id: I024568e81265c4ce3e05f718bf9147229416ab73

Hunspell: fix buffer overflow during morphological analysis
affected: thesaurus usage in a Hungarian document test case: press Ctrl+F7 on the word "művészegyéniség" Change-Id: I024568e81265c4ce3e05f718bf9147229416ab73
b37a88c3 · László Németh · bcded180 · b37a88c3 · b37a88c3
Kaydet (Commit) b37a88c3 authored Eyl 26, 2014 tarafından László Németh
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

UnpackedTarball_hunspell.mk external/hunspell/UnpackedTarball_hunspell.mk +1 -0

hunspell-morph-overflow.patch external/hunspell/hunspell-morph-overflow.patch +30 -0

No files found.
--- a/external/hunspell/UnpackedTarball_hunspell.mk
+++ b/external/hunspell/UnpackedTarball_hunspell.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hunspell,\
 	external/hunspell/hunspell-1.3.2-nullptr.patch \
 	external/hunspell/hunspell-1.3.2-literal.patch \
 	external/hunspell/hunspell-fdo48017-wfopen.patch \
+	external/hunspell/hunspell-morph-overflow.patch \
 ))
 ifeq ($(COM),MSC)

--- a/external/hunspell/hunspell-morph-overflow.patch
+++ b/external/hunspell/hunspell-morph-overflow.patch
+--- hunspell/src/hunspell/affixmgr.cxx	2014-09-24 16:11:10.750421303 +0200
+++ build/hunspell/src/hunspell/affixmgr.cxx	2014-09-26 15:25:09.448688908 +0200
+@@ -2400,8 +2400,10 @@
+                       }
+                       mystrcat(*result, presult, MAXLNLEN);
+                       if (m || (*m != '\0')) {
+-                        sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
+                        char m2[MAXLNLEN];
+                        sprintf(m2, "%c%s%s%s", MSEP_FLD,
+                             MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
+                        mystrcat(*result, m2, MAXLNLEN);
+                       }
+                       if (m) free(m);
+                       mystrcat(*result, "\n", MAXLNLEN);
+@@ -2481,11 +2483,13 @@
+                       }
+                       mystrcat(*result, presult, MAXLNLEN);
+                       if (m && (*m != '\0')) {
+-                        sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
+                        char m2[MAXLNLEN];
+                        sprintf(m2, "%c%s%s%s", MSEP_FLD,
+                             MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
+                        mystrcat(*result, m2, MAXLNLEN);
+                       }
+                       if (m) free(m);
+-                      sprintf(*result + strlen(*result), "%c", MSEP_REC);
+                      if (strlen(*result) + 1 < MAXLNLEN) sprintf(*result + strlen(*result), "%c", MSEP_REC);
+                       ok = 1;
+             }