| blob | 46d4c6787be256672c2fd5f2bc8443f3578baa43 |
1 --- misc/hunspell-1.3.2/src/hunspell/affixmgr.cxx 2010-02-27 12:59:53.000000000 +0100
2 +++ misc/build/hunspell-1.3.2/src/hunspell/affixmgr.cxx 2011-05-18 16:29:45.919141893 +0200
3 @@ -6,6 +6,8 @@
4 #include <stdio.h>
5 #include <ctype.h>
7 +#include <limits>
8 +
9 #include "affixmgr.hxx"
10 #include "affentry.hxx"
11 #include "langnum.hxx"
12 @@ -4000,7 +4002,10 @@
13 case 3: {
14 np++;
15 numents = atoi(piece);
16 - if (numents == 0) {
17 + if ((numents <= 0) ||
18 + ((::std::numeric_limits<size_t>::max()
19 + / sizeof(struct affentry)) < numents))
20 + {
21 char * err = pHMgr->encode_flag(aflag);
22 if (err) {
23 HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n",
24 --- misc/hunspell-1.3.2/src/tools/munch.c 2010-02-27 21:49:49.000000000 +0100
25 +++ misc/build/hunspell-1.3.2/src/tools/munch.c 2011-05-18 15:53:53.427072106 +0200
26 @@ -4,6 +4,7 @@
27 #include <string.h>
28 #include <unistd.h>
29 #include <stdlib.h>
30 +#include <stdint.h>
31 #include <stdio.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 @@ -233,10 +233,19 @@
35 case 1: { achar = *piece; break; }
36 case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
37 case 3: { numents = atoi(piece);
38 - ptr = malloc(numents * sizeof(struct affent));
39 - ptr->achar = achar;
40 - ptr->xpflg = ff;
41 - fprintf(stderr,"parsing %c entries %d\n",achar,numents);
42 + if ((numents < 0) ||
43 + ((SIZE_MAX/sizeof(struct affent)) < numents))
44 + {
45 + fprintf(stderr,
46 + "Error: too many entries: %d\n", numents);
47 + numents = 0;
48 + } else {
49 + ptr = malloc(numents * sizeof(struct affent));
50 + ptr->achar = achar;
51 + ptr->xpflg = ff;
52 + fprintf(stderr,"parsing %c entries %d\n",
53 + achar,numents);
54 + }
55 break;
56 }
57 default: break;
58 --- misc/hunspell-1.3.2/src/tools/unmunch.c 2010-02-23 15:53:29.000000000 +0100
59 +++ misc/build/hunspell-1.3.2/src/tools/unmunch.c 2011-05-18 20:53:43.843599726 +0200
60 @@ -6,6 +6,7 @@
61 #include <string.h>
62 #include <unistd.h>
63 #include <stdlib.h>
64 +#include <stdint.h>
65 #include <stdio.h>
66 #include <sys/types.h>
67 #include <sys/stat.h>
68 @@ -158,10 +159,19 @@
69 case 1: { achar = *piece; break; }
70 case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
71 case 3: { numents = atoi(piece);
72 - ptr = malloc(numents * sizeof(struct affent));
73 - ptr->achar = achar;
74 - ptr->xpflg = ff;
75 - fprintf(stderr,"parsing %c entries %d\n",achar,numents);
76 + if ((numents < 0) ||
77 + ((SIZE_MAX/sizeof(struct affent)) < numents))
78 + {
79 + fprintf(stderr,
80 + "Error: too many entries: %d\n", numents);
81 + numents = 0;
82 + } else {
83 + ptr = malloc(numents * sizeof(struct affent));
84 + ptr->achar = achar;
85 + ptr->xpflg = ff;
86 + fprintf(stderr,"parsing %c entries %d\n",
87 + achar,numents);
88 + }
89 break;
90 }
91 default: break;