download.lst | 2 external/openssl/CVE-2010-5298.patch | 21 - external/openssl/CVE-2013-4353.patch | 21 - external/openssl/CVE-2013-6449.patch | 111 ------ external/openssl/CVE-2013-6450.patch | 85 ----- external/openssl/CVE-2014-0160.patch | 108 ------ external/openssl/CVE-2014-0195.patch | 36 -- external/openssl/CVE-2014-0198.patch | 33 - external/openssl/CVE-2014-0221.patch | 34 -- external/openssl/CVE-2014-0224.patch | 88 ----- external/openssl/CVE-2014-3470.patch | 26 - external/openssl/CVE-2014-3505.patch | 52 --- external/openssl/CVE-2014-3506.patch | 87 ----- external/openssl/CVE-2014-3507.patch | 53 --- external/openssl/CVE-2014-3508.patch | 138 -------- external/openssl/CVE-2014-3509.patch | 45 -- external/openssl/CVE-2014-3510.patch | 86 ----- external/openssl/CVE-2014-3511.patch | 85 ----- external/openssl/CVE-2014-3513.patch | 186 ----------- external/openssl/CVE-2014-3566.patch | 466 ---------------------------- external/openssl/CVE-2014-3567.patch | 14 external/openssl/UnpackedTarball_openssl.mk | 20 - hwpfilter/source/attributes.cxx | 1 hwpfilter/source/cspline.cxx | 3 hwpfilter/source/drawdef.h | 18 - hwpfilter/source/drawing.h | 297 ++++++++++------- hwpfilter/source/fontmap.cxx | 2 hwpfilter/source/fontmap.hxx | 29 + hwpfilter/source/formula.cxx | 16 hwpfilter/source/grammar.cxx | 10 hwpfilter/source/grammar.hxx | 31 + hwpfilter/source/hbox.cxx | 162 ++++++--- hwpfilter/source/hbox.h | 109 +++--- hwpfilter/source/hcode.cxx | 62 +-- hwpfilter/source/hgzip.cxx | 2 hwpfilter/source/hinfo.cxx | 171 +++++++--- hwpfilter/source/hinfo.h | 60 ++- hwpfilter/source/hiodev.cxx | 117 ++++--- hwpfilter/source/hiodev.h | 32 + hwpfilter/source/hpara.cxx | 69 ++-- hwpfilter/source/hpara.h | 2 hwpfilter/source/htags.cxx | 8 hwpfilter/source/htags.h | 6 hwpfilter/source/hutil.cxx | 1 hwpfilter/source/hwpeq.cxx | 31 - hwpfilter/source/hwpfile.cxx | 102 +++--- hwpfilter/source/hwpfile.h | 14 hwpfilter/source/hwplib.h | 11 hwpfilter/source/hwpread.cxx | 312 ++++++++++-------- hwpfilter/source/hwpreader.cxx | 91 ++--- hwpfilter/source/hwpreader.hxx | 8 hwpfilter/source/lexer.cxx | 18 - hwpfilter/source/lexer.hxx | 29 + hwpfilter/source/list.hxx | 6 hwpfilter/source/mzstring.cxx | 2 hwpfilter/source/mzstring.h | 4 56 files changed, 1135 insertions(+), 2498 deletions(-)
New commits: commit 683b30bcd6fcb2c99ad7361ed7afa52517707962 Author: Andras Timar <andras.ti...@collabora.com> Date: Fri Mar 20 13:50:34 2015 +0100 bump to openssl-1.0.1m Change-Id: I3152e33f726aab1596adc99e512c156161dc31ca diff --git a/download.lst b/download.lst index 3255674..69031e8 100644 --- a/download.lst +++ b/download.lst @@ -98,7 +98,7 @@ export MYTHES_TARBALL := 46e92b68e31e858512b680b3b61dc4c1-mythes-1.2.3.tar.gz export NEON_TARBALL := ff369e69ef0f0143beb5626164e87ae2-neon-0.29.5.tar.gz export NSS_TARBALL := b279551b7638d0e36d1199548124c247-nss-3.16.5-with-nspr-4.10.6.tar.gz export OPENLDAP_TARBALL := 804c6cb5698db30b75ad0ff1c25baefd-openldap-2.4.31.tgz -export OPENSSL_TARBALL := 66bf6f10f060d561929de96f9dfe5b8c-openssl-1.0.1e.tar.gz +export OPENSSL_TARBALL := d143d1555d842a069cb7cc34ba745a06-openssl-1.0.1m.tar.gz export ORCUS_TARBALL := ea2acaf140ae40a87a952caa75184f4d-liborcus-0.5.1.tar.bz2 export PIXMAN_TARBALL := c63f411b3ad147db2bcce1bf262a0e02-pixman-0.24.4.tar.bz2 export PNG_TARBALL := 9e5d864bce8f06751bbd99962ecf4aad-libpng-1.5.10.tar.gz diff --git a/external/openssl/CVE-2010-5298.patch b/external/openssl/CVE-2010-5298.patch deleted file mode 100644 index 55251b3..0000000 --- a/external/openssl/CVE-2010-5298.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Ben Laurie <b...@links.org> -Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100) -Subject: Fix use after free. -X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=94d1f4b - -Fix use after free. ---- - -diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c -index b9e45c7..d601a18 100644 ---- a/a/ssl/s3_pkt.c -+++ b/b/ssl/s3_pkt.c -@@ -1334,7 +1334,7 @@ start: - { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; -- if (s->mode & SSL_MODE_RELEASE_BUFFERS) -+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) - ssl3_release_read_buffer(s); - } - } diff --git a/external/openssl/CVE-2013-4353.patch b/external/openssl/CVE-2013-4353.patch deleted file mode 100644 index be7cf4c..0000000 --- a/external/openssl/CVE-2013-4353.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix for TLS record tampering bug. A carefully crafted invalid -handshake could crash OpenSSL with a NULL pointer exception. -Thanks to Anton Johansson for reporting this issues. -(CVE-2013-4353) -diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c -index 1e5dcab..53b9390 100644 ---- a/a/ssl/s3_both.c -+++ b/b/ssl/s3_both.c -@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s) - { - const char *sender; - int slen; -- -+ /* If no new cipher setup return immediately: other functions will -+ * set the appropriate error. -+ */ -+ if (s->s3->tmp.new_cipher == NULL) -+ return; - if (s->state & SSL_ST_CONNECT) - { - sender=s->method->ssl3_enc->server_finished_label; diff --git a/external/openssl/CVE-2013-6449.patch b/external/openssl/CVE-2013-6449.patch deleted file mode 100644 index 3da0646..0000000 --- a/external/openssl/CVE-2013-6449.patch +++ /dev/null @@ -1,111 +0,0 @@ -Use version in SSL_METHOD not SSL structure. - -When deciding whether to use TLS 1.2 PRF and record hash algorithms -use the version number in the corresponding SSL_METHOD structure -instead of the SSL structure. The SSL structure version is sometimes -inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. -(CVE-2013-6449) - -Also preventively check EVP errors for handshake digests. - -diff --git a/a/ssl/s3_lib.c b/b/ssl/s3_lib.c -index bf832bb..c4ef273 100644 ---- a/a/ssl/s3_lib.c -+++ b/b/ssl/s3_lib.c -@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. - long ssl_get_algorithm2(SSL *s) - { - long alg2 = s->s3->tmp.new_cipher->algorithm2; -- if (TLS1_get_version(s) >= TLS1_2_VERSION && -+ if (s->method->version == TLS1_2_VERSION && - alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; -diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c -index ead01c8..1e5dcab 100644 ---- a/a/ssl/s3_both.c -+++ b/b/ssl/s3_both.c -@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) - - i=s->method->ssl3_enc->final_finish_mac(s, - sender,slen,s->s3->tmp.finish_md); -+ if (i == 0) -+ return 0; - s->s3->tmp.finish_md_len = i; - memcpy(p, s->s3->tmp.finish_md, i); - p+=i; -diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c -index 804291e..c4bc4e7 100644 ---- a/a/ssl/s3_pkt.c -+++ b/b/ssl/s3_pkt.c -@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); - if (version != s->version) - { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); -- if ((s->version & 0xFF00) == (version & 0xFF00)) -+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) - /* Send back error using their minor version number :-) */ - s->version = (unsigned short)version; - al=SSL_AD_PROTOCOL_VERSION; -@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) - slen=s->method->ssl3_enc->client_finished_label_len; - } - -- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, -+ i = s->method->ssl3_enc->final_finish_mac(s, - sender,slen,s->s3->tmp.peer_finish_md); -+ if (i == 0) -+ { -+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ s->s3->tmp.peer_finish_md_len = i; - - return(1); - } -diff --git a/a/ssl/s3_srvr.c b/b/ssl/s3_srvr.c -index e5a8b3f..52efed3 100644 ---- a/a/ssl/s3_srvr.c -+++ b/b/ssl/s3_srvr.c -@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) - (s->version != DTLS1_VERSION && s->client_version < s->version)) - { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); -- if ((s->client_version>>8) == SSL3_VERSION_MAJOR) -+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR && -+ !s->enc_write_ctx && !s->write_hash) - { - /* similar to ssl3_get_record, send alert using remote version number */ - s->version = s->client_version; -diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c -index 809ad2e..72015f5 100644 ---- a/a/ssl/t1_enc.c -+++ b/b/ssl/t1_enc.c -@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, - if (mask & ssl_get_algorithm2(s)) - { - int hashsize = EVP_MD_size(md); -- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) -+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; -+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) - { - /* internal error: 'buf' is too small for this cipersuite! */ - err = 1; - } - else - { -- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); -- EVP_DigestFinal_ex(&ctx,q,&i); -- if (i != (unsigned int)hashsize) /* can't really happen */ -+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || -+ !EVP_DigestFinal_ex(&ctx,q,&i) || -+ (i != (unsigned int)hashsize)) - err = 1; -- q+=i; -+ q+=hashsize; - } - } - } --- -1.8.3.1 - diff --git a/external/openssl/CVE-2013-6450.patch b/external/openssl/CVE-2013-6450.patch deleted file mode 100644 index ba45785..0000000 --- a/external/openssl/CVE-2013-6450.patch +++ /dev/null @@ -1,85 +0,0 @@ -Fix DTLS retransmission from previous session. - -For DTLS we might need to retransmit messages from the previous session -so keep a copy of write context in DTLS retransmission buffers instead -of replacing it after sending CCS. CVE-2013-6450. - -diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c -index 65ec001..7a5596a 100644 ---- a/a/ssl/d1_both.c -+++ b/b/ssl/d1_both.c -@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) - static void - dtls1_hm_fragment_free(hm_fragment *frag) - { -+ -+ if (frag->msg_header.is_ccs) -+ { -+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); -+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); -+ } - if (frag->fragment) OPENSSL_free(frag->fragment); - if (frag->reassembly) OPENSSL_free(frag->reassembly); - OPENSSL_free(frag); -diff --git a/a/ssl/ssl_locl.h b/b/ssl/ssl_locl.h -index 96ce9a7..e485907 100644 ---- a/a/ssl/ssl_locl.h -+++ b/b/ssl/ssl_locl.h -@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; - extern SSL3_ENC_METHOD SSLv3_enc_data; - extern SSL3_ENC_METHOD DTLSv1_enc_data; - -+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) -+ - #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ - s_get_meth) \ - const SSL_METHOD *func_name(void) \ -diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c -index 72015f5..56db834 100644 ---- a/a/ssl/t1_enc.c -+++ b/b/ssl/t1_enc.c -@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) - s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else - s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; -- if (s->enc_write_ctx != NULL) -+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) - reuse_dd = 1; -- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) -+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) - goto err; -- else -- /* make sure it's intialized in case we exit later with an error */ -- EVP_CIPHER_CTX_init(s->enc_write_ctx); - dd= s->enc_write_ctx; -- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); -+ if (SSL_IS_DTLS(s)) -+ { -+ mac_ctx = EVP_MD_CTX_create(); -+ if (!mac_ctx) -+ goto err; -+ s->write_hash = mac_ctx; -+ } -+ else -+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); - #ifndef OPENSSL_NO_COMP - if (s->compress != NULL) - { -diff --git a/a/crypto/evp/digest.c b/b/crypto/evp/digest.c -index 6fc469f..d14e8e4 100644 ---- a/a/crypto/evp/digest.c -+++ b/b/crypto/evp/digest.c -@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count, - - void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) - { -- EVP_MD_CTX_cleanup(ctx); -- OPENSSL_free(ctx); -+ if (ctx) -+ { -+ EVP_MD_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } - } - - /* This call frees resources associated with the context */ diff --git a/external/openssl/CVE-2014-0160.patch b/external/openssl/CVE-2014-0160.patch deleted file mode 100644 index ddf9d9c..0000000 --- a/external/openssl/CVE-2014-0160.patch +++ /dev/null @@ -1,108 +0,0 @@ -From: Dr. Stephen Henson <st...@openssl.org> -Date: Sat, 5 Apr 2014 23:51:06 +0000 (+0100) -Subject: Add heartbeat extension bounds check. -X-Git-Tag: OpenSSL_1_0_1g~3 -X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=96db902 - -Add heartbeat extension bounds check. - -A missing bounds check in the handling of the TLS heartbeat extension -can be used to reveal up to 64k of memory to a connected client or -server. - -Thanks for Neel Mehta of Google Security for discovering this bug and to -Adam Langley <a...@chromium.org> and Bodo Moeller <bmoel...@acm.org> for -preparing the fix (CVE-2014-0160) ---- - -diff --git a/a/ssl/d1_both.c b/ssl/d1_both.c -index 7a5596a..2e8cf68 100644 ---- a/a/ssl/d1_both.c -+++ a/b/ssl/d1_both.c -@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; -+ unsigned int write_length = 1 /* heartbeat type */ + -+ 2 /* heartbeat length */ + -+ payload + padding; - int r; - -+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) -+ return 0; -+ - /* Allocate memory for the response, size is 1 byte - * message type, plus 2 bytes payload length, plus - * payload, plus padding - */ -- buffer = OPENSSL_malloc(1 + 2 + payload + padding); -+ buffer = OPENSSL_malloc(write_length); - bp = buffer; - - /* Enter response type, length and copy payload */ -@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) - /* Random padding */ - RAND_pseudo_bytes(bp, padding); - -- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); -+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); - - if (r >= 0 && s->msg_callback) - s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, -- buffer, 3 + payload + padding, -+ buffer, write_length, - s, s->msg_callback_arg); - - OPENSSL_free(buffer); -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index b82fada..bddffd9 100644 ---- a/a/ssl/t1_lib.c -+++ a/b/ssl/t1_lib.c -@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s) - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; diff --git a/external/openssl/CVE-2014-0195.patch b/external/openssl/CVE-2014-0195.patch deleted file mode 100644 index d9aaa83..0000000 --- a/external/openssl/CVE-2014-0195.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 208d54db20d58c9a5e45e856a0650caadd7d9612 -Author: Dr. Stephen Henson <st...@openssl.org> -Date: Tue May 13 18:48:31 2014 +0100 - - Fix for CVE-2014-0195 - - A buffer overrun attack can be triggered by sending invalid DTLS fragments - to an OpenSSL DTLS client or server. This is potentially exploitable to - run arbitrary code on a vulnerable client or server. - - Fixed by adding consistency check for DTLS fragments. - - Thanks to Jüri Aedla for reporting this issue. - -diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c -index 2e8cf68..07f67f8 100644 ---- a/a/ssl/d1_both.c -+++ b/b/ssl/d1_both.c -@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) - frag->msg_header.frag_off = 0; - } - else -+ { - frag = (hm_fragment*) item->data; -+ if (frag->msg_header.msg_len != msg_hdr->msg_len) -+ { -+ item = NULL; -+ frag = NULL; -+ goto err; -+ } -+ } -+ - - /* If message is already reassembled, this must be a - * retransmit and can be dropped. - diff --git a/external/openssl/CVE-2014-0198.patch b/external/openssl/CVE-2014-0198.patch deleted file mode 100644 index 0cffb79..0000000 --- a/external/openssl/CVE-2014-0198.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Matt Caswell <m...@openssl.org> -Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) -Subject: Fixed NULL pointer dereference. See PR#3321 -X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=b107586 - -Fixed NULL pointer dereference. See PR#3321 ---- - -diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c -index 40eb0dd..d961d12 100644 ---- a/a/ssl/s3_pkt.c -+++ b/b/ssl/s3_pkt.c -@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - SSL3_BUFFER *wb=&(s->s3->wbuf); - SSL_SESSION *sess; - -- if (wb->buf == NULL) -- if (!ssl3_setup_write_buffer(s)) -- return -1; - - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ -@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - /* if it went, fall through and send more stuff */ - } - -+ if (wb->buf == NULL) -+ if (!ssl3_setup_write_buffer(s)) -+ return -1; -+ - if (len == 0 && !create_empty_fragment) - return 0; - diff --git a/external/openssl/CVE-2014-0221.patch b/external/openssl/CVE-2014-0221.patch deleted file mode 100644 index 68186f7..0000000 --- a/external/openssl/CVE-2014-0221.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit d30e582446b027868cdabd0994681643682045a4 -Author: Dr. Stephen Henson <st...@openssl.org> -Date: Fri May 16 13:00:45 2014 +0100 - - Fix CVE-2014-0221 - - Unnecessary recursion when receiving a DTLS hello request can be used to - crash a DTLS client. Fixed by handling DTLS hello request without recursion. - - Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. - -diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c -index 07f67f8..4c2fd03 100644 ---- a/a/ssl/d1_both.c -+++ b/b/ssl/d1_both.c -@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) - int i,al; - struct hm_header_st msg_hdr; - -+ redo: - /* see if we have the required fragment already */ - if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) - { -@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) - s->msg_callback_arg); - - s->init_num = 0; -- return dtls1_get_message_fragment(s, st1, stn, -- max, ok); -+ goto redo; - } - else /* Incorrectly formated Hello request */ - { - diff --git a/external/openssl/CVE-2014-0224.patch b/external/openssl/CVE-2014-0224.patch deleted file mode 100644 index 8a7aaa7..0000000 --- a/external/openssl/CVE-2014-0224.patch +++ /dev/null @@ -1,88 +0,0 @@ -diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h ---- a/a/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 ---- b/b/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 -@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st - #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 - #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 - #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 -+#define SSL3_FLAGS_CCS_OK 0x0080 - - /* SSL3_FLAGS_SGC_RESTART_DONE is set when we - * restart a handshake because of MS SGC and so prevents us -diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c ---- a/a/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 ---- b/b/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 -@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); - if (ret <= 0) goto end; -@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s) - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); - goto f_err; - } -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->hit=1; - } - else /* a miss or crap from the other end */ -diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c ---- a/a/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 ---- b/b/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 -@@ -1298,6 +1298,15 @@ start: - goto f_err; - } - -+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) -+ { -+ al=SSL_AD_UNEXPECTED_MESSAGE; -+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); -+ goto f_err; -+ } -+ -+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK; -+ - rr->length=0; - - if (s->msg_callback) -@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) - - if (s->s3->tmp.key_block == NULL) - { -- if (s->session == NULL) -+ if (s->session == NULL || s->session->master_key_length == 0) - { - /* might happen if dtls1_read_bytes() calls this */ - SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); -diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c ---- a/a/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 ---- b/b/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 -@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) - case SSL3_ST_SR_CERT_VRFY_A: - case SSL3_ST_SR_CERT_VRFY_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - /* we should decide if we expected this one */ - ret=ssl3_get_cert_verify(s); - if (ret <= 0) goto end; -@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) - - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_SR_FINISHED_B: -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); - if (ret <= 0) goto end; -@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #else - if (s->s3->next_proto_neg_seen) -+ { -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; -+ } - else - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #endif diff --git a/external/openssl/CVE-2014-3470.patch b/external/openssl/CVE-2014-3470.patch deleted file mode 100644 index da123ee..0000000 --- a/external/openssl/CVE-2014-3470.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 -Author: Dr. Stephen Henson <st...@openssl.org> -Date: Thu May 29 15:00:05 2014 +0100 - - Fix CVE-2014-3470 - - Check session_cert is not NULL before dereferencing it. - -diff --git a/a/ssl/s3_clnt.c b/b/ssl/s3_clnt.c -index d35376d..4324f8d 100644 ---- a/a/ssl/s3_clnt.c -+++ b/b/ssl/s3_clnt.c -@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) - int ecdh_clnt_cert = 0; - int field_size = 0; - -+ if (s->session->sess_cert == NULL) -+ { -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); -+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); -+ goto err; -+ } -+ - /* Did we send out the client's - * ECDH share for use in premaster - * computation as part of client certificate? diff --git a/external/openssl/CVE-2014-3505.patch b/external/openssl/CVE-2014-3505.patch deleted file mode 100644 index 69284d5..0000000 --- a/external/openssl/CVE-2014-3505.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001 -From: Adam Langley <a...@imperialviolet.org> -Date: Fri, 6 Jun 2014 14:19:21 -0700 -Subject: [PATCH] Avoid double free when processing DTLS packets. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The |item| variable, in both of these cases, may contain a pointer to a -|pitem| structure within |s->d1->buffered_messages|. It was being freed -in the error case while still being in |buffered_messages|. When the -error later caused the |SSL*| to be destroyed, the item would be double -freed. - -Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was -inconsistent with the other error paths (but correct). - -Fixes CVE-2014-3505 - -Reviewed-by: Matt Caswell <m...@openssl.org> -Reviewed-by: Emilia Käsper <emi...@openssl.org> ---- - ssl/d1_both.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index c1eb970..cdb83b6 100644 ---- a/a/ssl/d1_both.c -+++ b/b/ssl/d1_both.c -@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) - return DTLS1_HM_FRAGMENT_RETRY; - - err: -- if (frag != NULL) dtls1_hm_fragment_free(frag); -- if (item != NULL) OPENSSL_free(item); -+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); - *ok = 0; - return i; - } -@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) - return DTLS1_HM_FRAGMENT_RETRY; - - err: -- if ( frag != NULL) dtls1_hm_fragment_free(frag); -- if ( item != NULL) OPENSSL_free(item); -+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); - *ok = 0; - return i; - } --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3506.patch b/external/openssl/CVE-2014-3506.patch deleted file mode 100644 index 45b87dc..0000000 --- a/external/openssl/CVE-2014-3506.patch +++ /dev/null @@ -1,87 +0,0 @@ -From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <m...@openssl.org> -Date: Fri, 6 Jun 2014 14:25:52 -0700 -Subject: [PATCH] Fix DTLS handshake message size checks. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In |dtls1_reassemble_fragment|, the value of -|msg_hdr->frag_off+frag_len| was being checked against the maximum -handshake message size, but then |msg_len| bytes were allocated for the -fragment buffer. This means that so long as the fragment was within the -allowed size, the pending handshake message could consume 16MB + 2MB -(for the reassembly bitmap). Approx 10 outstanding handshake messages -are allowed, meaning that an attacker could consume ~180MB per DTLS -connection. - -In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no -check was applied. - -Fixes CVE-2014-3506 - -Wholly based on patch by Adam Langley with one minor amendment. - -Reviewed-by: Emilia Käsper <emi...@openssl.org> ---- - ssl/d1_both.c | 29 ++++++++++++++++------------- - 1 file changed, 16 insertions(+), 13 deletions(-) - -diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index 6559dfc..b9e15df 100644 ---- a/a/ssl/d1_both.c -+++ b/b/ssl/d1_both.c -@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) - return 0; - } - -+/* dtls1_max_handshake_message_len returns the maximum number of bytes -+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may -+ * be greater if the maximum certificate list size requires it. */ -+static unsigned long dtls1_max_handshake_message_len(const SSL *s) -+ { -+ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; -+ if (max_len < (unsigned long)s->max_cert_list) -+ return s->max_cert_list; -+ return max_len; -+ } - - static int - dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) -@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) - pitem *item = NULL; - int i = -1, is_complete; - unsigned char seq64be[8]; -- unsigned long frag_len = msg_hdr->frag_len, max_len; -- -- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) -- goto err; -- -- /* Determine maximum allowed message size. Depends on (user set) -- * maximum certificate length, but 16k is minimum. -- */ -- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) -- max_len = s->max_cert_list; -- else -- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; -+ unsigned long frag_len = msg_hdr->frag_len; - -- if ((msg_hdr->frag_off+frag_len) > max_len) -+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || -+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) - goto err; - - /* Try to find item in queue */ -@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) - if (frag_len && frag_len < msg_hdr->msg_len) - return dtls1_reassemble_fragment(s, msg_hdr, ok); - -+ if (frag_len > dtls1_max_handshake_message_len(s)) -+ goto err; -+ - frag = dtls1_hm_fragment_new(frag_len, 0); - if ( frag == NULL) - goto err; --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3507.patch b/external/openssl/CVE-2014-3507.patch deleted file mode 100644 index 4ea0b69..0000000 --- a/external/openssl/CVE-2014-3507.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c ---- a/a/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200 -+++ b/b/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200 -@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct - msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) - goto err; - -+ if (frag_len == 0) -+ return DTLS1_HM_FRAGMENT_RETRY; -+ - /* Try to find item in queue */ - memset(seq64be,0,sizeof(seq64be)); - seq64be[6] = (unsigned char) (msg_hdr->seq>>8); -@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct - i = -1; - } - -- pqueue_insert(s->d1->buffered_messages, item); -+ item = pqueue_insert(s->d1->buffered_messages, item); -+ /* pqueue_insert fails iff a duplicate item is inserted. -+ * However, |item| cannot be a duplicate. If it were, -+ * |pqueue_find|, above, would have returned it and control -+ * would never have reached this branch. */ -+ OPENSSL_assert(item != NULL); - } - - return DTLS1_HM_FRAGMENT_RETRY; -@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, - } - else - { -- if (frag_len && frag_len < msg_hdr->msg_len) -+ if (frag_len < msg_hdr->msg_len) - return dtls1_reassemble_fragment(s, msg_hdr, ok); - - if (frag_len > dtls1_max_handshake_message_len(s)) -@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s, - if ( item == NULL) - goto err; - -- pqueue_insert(s->d1->buffered_messages, item); -+ item = pqueue_insert(s->d1->buffered_messages, item); -+ /* pqueue_insert fails iff a duplicate item is inserted. -+ * However, |item| cannot be a duplicate. If it were, -+ * |pqueue_find|, above, would have returned it. Then, either -+ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set -+ * to NULL and it will have been processed with -+ * |dtls1_reassemble_fragment|, above, or the record will have -+ * been discarded. */ -+ OPENSSL_assert(item != NULL); - } - - return DTLS1_HM_FRAGMENT_RETRY; diff --git a/external/openssl/CVE-2014-3508.patch b/external/openssl/CVE-2014-3508.patch deleted file mode 100644 index 513608d..0000000 --- a/external/openssl/CVE-2014-3508.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001 -From: Emilia Kasper <emi...@openssl.org> -Date: Wed, 2 Jul 2014 19:02:33 +0200 -Subject: [PATCH] Fix OID handling: - -- Upon parsing, reject OIDs with invalid base-128 encoding. -- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. - -CVE-2014-3508 - -Reviewed-by: Dr. Stephen Henson <st...@openssl.org> -Reviewed-by: Kurt Roeckx <k...@openssl.org> -Reviewed-by: Tim Hudson <t...@openssl.org> ---- - crypto/asn1/a_object.c | 30 +++++++++++++++++++++--------- - crypto/objects/obj_dat.c | 16 +++++++++------- - 2 files changed, 30 insertions(+), 16 deletions(-) - -diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c -index 3978c91..77b2768 100644 ---- a/a/crypto/asn1/a_object.c -+++ b/b/crypto/asn1/a_object.c -@@ -283,17 +283,29 @@ err: - ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); - return(NULL); - } -+ - ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, - long len) - { - ASN1_OBJECT *ret=NULL; - const unsigned char *p; - unsigned char *data; -- int i; -- /* Sanity check OID encoding: can't have leading 0x80 in -- * subidentifiers, see: X.690 8.19.2 -+ int i, length; -+ -+ /* Sanity check OID encoding. -+ * Need at least one content octet. -+ * MSB must be clear in the last octet. -+ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 - */ -- for (i = 0, p = *pp; i < len; i++, p++) -+ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || -+ p[len - 1] & 0x80) -+ { -+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); -+ return NULL; -+ } -+ /* Now 0 < len <= INT_MAX, so the cast is safe. */ -+ length = (int)len; -+ for (i = 0; i < length; i++, p++) - { - if (*p == 0x80 && (!i || !(p[-1] & 0x80))) - { -@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, - data = (unsigned char *)ret->data; - ret->data = NULL; - /* once detached we can change it */ -- if ((data == NULL) || (ret->length < len)) -+ if ((data == NULL) || (ret->length < length)) - { - ret->length=0; - if (data != NULL) OPENSSL_free(data); -- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); -+ data=(unsigned char *)OPENSSL_malloc(length); - if (data == NULL) - { i=ERR_R_MALLOC_FAILURE; goto err; } - ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; - } -- memcpy(data,p,(int)len); -+ memcpy(data,p,length); - /* reattach data to object, after which it remains const */ - ret->data =data; -- ret->length=(int)len; -+ ret->length=length; - ret->sn=NULL; - ret->ln=NULL; - /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ -- p+=len; -+ p+=length; - - if (a != NULL) (*a)=ret; - *pp=p; -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 8a342ba..0b2f442 100644 ---- a/a/crypto/objects/obj_dat.c -+++ b/b/crypto/objects/obj_dat.c -@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - const unsigned char *p; - char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; - -- if ((a == NULL) || (a->data == NULL)) { -- buf[0]='\0'; -- return(0); -- } -+ /* Ensure that, at every state, |buf| is NUL-terminated. */ -+ if (buf && buf_len > 0) -+ buf[0] = '\0'; - -+ if ((a == NULL) || (a->data == NULL)) -+ return(0); - - if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) - { -@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - i=(int)(l/40); - l-=(long)(i*40); - } -- if (buf && (buf_len > 0)) -+ if (buf && (buf_len > 1)) - { - *buf++ = i + '0'; -+ *buf = '\0'; - buf_len--; - } - n++; -@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - i = strlen(bndec); - if (buf) - { -- if (buf_len > 0) -+ if (buf_len > 1) - { - *buf++ = '.'; -+ *buf = '\0'; - buf_len--; - } - BUF_strlcpy(buf,bndec,buf_len); -@@ -807,4 +810,3 @@ err: - OPENSSL_free(buf); - return(ok); - } -- --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3509.patch b/external/openssl/CVE-2014-3509.patch deleted file mode 100644 index 45c9462..0000000 --- a/external/openssl/CVE-2014-3509.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001 -From: Gabor Tyukasz <gabor.tyuk...@logmein.com> -Date: Wed, 23 Jul 2014 23:42:06 +0200 -Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext - -CVE-2014-3509 -Reviewed-by: Tim Hudson <t...@openssl.org> -Reviewed-by: Dr. Stephen Henson <st...@openssl.org> ---- - ssl/t1_lib.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 8167a51..022a4fb 100644 ---- a/a/ssl/t1_lib.c -+++ b/b/ssl/t1_lib.c -@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in - *al = TLS1_AD_DECODE_ERROR; - return 0; - } -- s->session->tlsext_ecpointformatlist_length = 0; -- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); -- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) -+ if (!s->hit) - { -- *al = TLS1_AD_INTERNAL_ERROR; -- return 0; -+ s->session->tlsext_ecpointformatlist_length = 0; -+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); -+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) -+ { -+ *al = TLS1_AD_INTERNAL_ERROR; -+ return 0; -+ } -+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; -+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); - } -- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; -- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); - #if 0 - fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); - sdata = s->session->tlsext_ecpointformatlist; --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3510.patch b/external/openssl/CVE-2014-3510.patch deleted file mode 100644 index 5cdc5d7..0000000 --- a/external/openssl/CVE-2014-3510.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emi...@openssl.org> -Date: Thu, 24 Jul 2014 22:15:29 +0200 -Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service - -CVE-2014-3510 - -Reviewed-by: Dr. Stephen Henson <st...@openssl.org> ---- - ssl/d1_clnt.c | 23 +++++++++++++++++++++-- - ssl/s3_clnt.c | 7 +++++++ - 2 files changed, 28 insertions(+), 2 deletions(-) - -diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c -index 65dbb4a..fd6562c 100644 ---- a/a/ssl/d1_clnt.c -+++ b/b/ssl/d1_clnt.c -@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s) - RSA *rsa; - unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - -+ if (s->session->sess_cert == NULL) -+ { -+ /* We should always have a server certificate with SSL_kRSA. */ -+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ - if (s->session->sess_cert->peer_rsa_tmp != NULL) - rsa=s->session->sess_cert->peer_rsa_tmp; - else -@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s) - { - DH *dh_srvr,*dh_clnt; - -+ if (s->session->sess_cert == NULL) -+ { -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); -+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); -+ goto err; -+ } -+ - if (s->session->sess_cert->peer_dh_tmp != NULL) - dh_srvr=s->session->sess_cert->peer_dh_tmp; - else -@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s) - int ecdh_clnt_cert = 0; - int field_size = 0; - -+ if (s->session->sess_cert == NULL) -+ { -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); -+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); -+ goto err; -+ } -+ - /* Did we send out the client's - * ECDH share for use in premaster - * computation as part of client certificate? -@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s) - /* SSL3_ST_CW_CERT_D */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); - } -- -- -diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c -index 2afb892..df05f78 100644 ---- a/a/ssl/s3_clnt.c -+++ b/b/ssl/s3_clnt.c -@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s) - RSA *rsa; - unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - -+ if (s->session->sess_cert == NULL) -+ { -+ /* We should always have a server certificate with SSL_kRSA. */ -+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ - if (s->session->sess_cert->peer_rsa_tmp != NULL) - rsa=s->session->sess_cert->peer_rsa_tmp; - else --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3511.patch b/external/openssl/CVE-2014-3511.patch deleted file mode 100644 index 4b5b9c6..0000000 --- a/external/openssl/CVE-2014-3511.patch +++ /dev/null @@ -1,85 +0,0 @@ -From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001 -From: David Benjamin <david...@google.com> -Date: Wed, 23 Jul 2014 22:32:21 +0200 -Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2014-3511 - -Reviewed-by: Emilia Käsper <emi...@openssl.org> -Reviewed-by: Bodo Möller <b...@openssl.org> ---- - ssl/s23_srvr.c | 30 +++++++++++++++++++++++------- - 1 file changed, 23 insertions(+), 7 deletions(-) - -diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c -index 4877849..2901a6b 100644 ---- a/a/ssl/s23_srvr.c -+++ b/b/ssl/s23_srvr.c -@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s) - * Client Hello message, this would be difficult, and we'd have - * to read more records to find out. - * No known SSL 3.0 client fragments ClientHello like this, -- * so we simply assume TLS 1.0 to avoid protocol version downgrade -- * attacks. */ -+ * so we simply reject such connections to avoid -+ * protocol version downgrade attacks. */ - if (p[3] == 0 && p[4] < 6) - { --#if 0 - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); - goto err; --#else -- v[1] = TLS1_VERSION_MINOR; --#endif - } - /* if major version number > 3 set minor to a value - * which will use the highest version 3 we support. - * If TLS 2.0 ever appears we will need to revise - * this.... - */ -- else if (p[9] > SSL3_VERSION_MAJOR) -+ if (p[9] > SSL3_VERSION_MAJOR) - v[1]=0xff; - else - v[1]=p[10]; /* minor version according to client_version */ -@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s) - v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ - v[1] = p[4]; - -+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 -+ * header is sent directly on the wire, not wrapped as a TLS -+ * record. It's format is: -+ * Byte Content -+ * 0-1 msg_length -+ * 2 msg_type -+ * 3-4 version -+ * 5-6 cipher_spec_length -+ * 7-8 session_id_length -+ * 9-10 challenge_length -+ * ... ... -+ */ - n=((p[0]&0x7f)<<8)|p[1]; - if (n > (1024*4)) - { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); - goto err; - } -+ if (n < 9) -+ { -+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); -+ goto err; -+ } - - j=ssl23_read_bytes(s,n+2); -+ /* We previously read 11 bytes, so if j > 0, we must have -+ * j == n+2 == s->packet_length. We have at least 11 valid -+ * packet bytes. */ - if (j <= 0) return(j); - - ssl3_finish_mac(s, s->packet+2, s->packet_length-2); --- -1.8.3.1 - diff --git a/external/openssl/CVE-2014-3513.patch b/external/openssl/CVE-2014-3513.patch deleted file mode 100644 index 96d4584..0000000 --- a/external/openssl/CVE-2014-3513.patch +++ /dev/null @@ -1,186 +0,0 @@ -diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c ---- a/a/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100 -+++ b/b/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200 -@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr - return 1; - } - --static int find_profile_by_num(unsigned profile_num, -- SRTP_PROTECTION_PROFILE **pptr) -- { -- SRTP_PROTECTION_PROFILE *p; -- -- p=srtp_known_profiles; -- while(p->name) -- { -- if(p->id == profile_num) -- { -- *pptr=p; -- return 0; -- } -- p++; -- } -- -- return 1; -- } -- - static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) - { - STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; -@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c - if(!find_profile_by_name(ptr,&p, - col ? col-ptr : (int)strlen(ptr))) - { -+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) -+ { -+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); -+ sk_SRTP_PROTECTION_PROFILE_free(profiles); -+ return 1; -+ } -+ - sk_SRTP_PROTECTION_PROFILE_push(profiles,p); - } - else - { - SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); -+ sk_SRTP_PROTECTION_PROFILE_free(profiles); - return 1; - } - -@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL - - int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) - { -- SRTP_PROTECTION_PROFILE *cprof,*sprof; -- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; -+ SRTP_PROTECTION_PROFILE *sprof; -+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; - int ct; - int mki_len; -- int i,j; -- int id; -- int ret; -+ int i, srtp_pref; -+ unsigned int id; - - /* Length value + the MKI length */ - if(len < 3) -@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S - return 1; - } - -+ srvr=SSL_get_srtp_profiles(s); -+ s->srtp_profile = NULL; -+ /* Search all profiles for a match initially */ -+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); - -- clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); -- - while(ct) - { - n2s(d,id); - ct-=2; - len-=2; - -- if(!find_profile_by_num(id,&cprof)) -+ /* -+ * Only look for match in profiles of higher preference than -+ * current match. -+ * If no profiles have been have been configured then this -+ * does nothing. -+ */ -+ for (i = 0; i < srtp_pref; i++) - { -- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); -- } -- else -- { -- ; /* Ignore */ -+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); -+ if (sprof->id == id) -+ { -+ s->srtp_profile = sprof; -+ srtp_pref = i; -+ break; -+ } - } - } - -@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S - return 1; - } - -- srvr=SSL_get_srtp_profiles(s); -- -- /* Pick our most preferred profile. If no profiles have been -- configured then the outer loop doesn't run -- (sk_SRTP_PROTECTION_PROFILE_num() = -1) -- and so we just return without doing anything */ -- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++) -- { -- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i); -- -- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++) -- { -- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j); -- -- if(cprof->id==sprof->id) -- { -- s->srtp_profile=sprof; -- *al=0; -- ret=0; -- goto done; -- } -- } -- } -- -- ret=0; -- --done: -- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); -- -- return ret; -+ return 0; - } - - int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) -diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c ---- a/a/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200 -+++ b/b/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200 -@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex - #endif - - #ifndef OPENSSL_NO_SRTP -- if(SSL_get_srtp_profiles(s)) -+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) - { - int el; - -@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex - #endif - - #ifndef OPENSSL_NO_SRTP -- if(s->srtp_profile) -+ if(SSL_IS_DTLS(s) && s->srtp_profile) - { - int el; - -@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, - - /* session ticket processed earlier */ - #ifndef OPENSSL_NO_SRTP -- else if (type == TLSEXT_TYPE_use_srtp) -+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) -+ && type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_clienthello_use_srtp_ext(s, data, size, - al)) -@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, - } - #endif - #ifndef OPENSSL_NO_SRTP -- else if (type == TLSEXT_TYPE_use_srtp) -+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_serverhello_use_srtp_ext(s, data, size, - al)) diff --git a/external/openssl/CVE-2014-3566.patch b/external/openssl/CVE-2014-3566.patch deleted file mode 100644 index c9b37a7..0000000 --- a/external/openssl/CVE-2014-3566.patch +++ /dev/null @@ -1,466 +0,0 @@ -diff -up openssl-1.0.1e/apps/s_client.c.fallback-scsv openssl-1.0.1e/apps/s_client.c ---- a/a/apps/s_client.c.fallback-scsv 2014-10-15 17:06:01.000000000 +0200 -+++ b/b/apps/s_client.c 2014-10-15 17:07:36.392502320 +0200 -@@ -336,6 +336,7 @@ static void sc_usage(void) - BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); - BIO_printf(bio_err," -tls1 - just use TLSv1\n"); - BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); -+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); - BIO_printf(bio_err," -mtu - set the link layer MTU\n"); - BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); - BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); -@@ -616,6 +617,7 @@ int MAIN(int argc, char **argv) - char *sess_out = NULL; - struct sockaddr peer; - int peerlen = sizeof(peer); -+ int fallback_scsv = 0; - int enable_timeouts = 0 ; - long socket_mtu = 0; - #ifndef OPENSSL_NO_JPAKE -@@ -829,6 +831,10 @@ int MAIN(int argc, char **argv) - socket_mtu = atol(*(++argv)); - } - #endif -+ else if (strcmp(*argv,"-fallback_scsv") == 0) -+ { -+ fallback_scsv = 1; -+ } - else if (strcmp(*argv,"-bugs") == 0) - bugs=1; - else if (strcmp(*argv,"-keyform") == 0) -@@ -1240,6 +1246,10 @@ bad: - SSL_set_session(con, sess); - SSL_SESSION_free(sess); - } -+ -+ if (fallback_scsv) -+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); -+ - #ifndef OPENSSL_NO_TLSEXT - if (servername != NULL) - { -diff -up openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv openssl-1.0.1e/doc/apps/s_client.pod ---- a/a/doc/apps/s_client.pod.fallback-scsv 2014-10-15 17:06:01.000000000 +0200 -+++ b/b/doc/apps/s_client.pod 2014-10-15 17:08:17.354427053 +0200 -@@ -34,6 +34,7 @@ - [B<-no_ssl2>] - [B<-no_ssl3>] - [B<-no_tls1>] -+[B<-fallback_scsv>] - [B<-bugs>] - [B<-cipher cipherlist>] - [B<-starttls protocol>] -@@ -187,6 +188,10 @@ - work if TLS is turned off with the B<-no_tls> option others will only - support SSL v2 and may need the B<-ssl2> option. - -+=item B<-fallback_scsv> -+ -+Send TLS_FALLBACK_SCSV in the ClientHello. -+ - =item B<-bugs> - - there are several known bug in SSL and TLS implementations. Adding this -diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod ---- a/a/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 -+++ b/b/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:09:57.577689637 +0200 -@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which default - save around 34k per idle SSL connection. - This flag has no effect on SSL v2 connections, or on DTLS connections. - -+=item SSL_MODE_SEND_FALLBACK_SCSV -+ -+Send TLS_FALLBACK_SCSV in the ClientHello. -+To be set by applications that reconnect with a downgraded protocol -+version; see draft-ietf-tls-downgrade-scsv-00 for details. -+ - =back - - =head1 RETURN VALUES -diff -up openssl-1.0.1e/ssl/dtls1.h.fallback-scsv openssl-1.0.1e/ssl/dtls1.h ---- a/a/ssl/dtls1.h.fallback-scsv 2014-10-15 14:39:30.862907615 +0200 -+++ b/b/ssl/dtls1.h 2014-10-15 14:39:30.973910121 +0200 -@@ -84,6 +84,8 @@ extern "C" { - #endif - - #define DTLS1_VERSION 0xFEFF -+#define DTLS_MAX_VERSION DTLS1_VERSION -+ - #define DTLS1_BAD_VER 0x0100 - - #if 0 -@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st - } - #endif - #endif -- -diff -up openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv openssl-1.0.1e/ssl/d1_lib.c ---- a/a/ssl/d1_lib.c.fallback-scsv 2014-10-15 14:39:30.911908721 +0200 -+++ b/b/ssl/d1_lib.c 2014-10-15 14:39:30.973910121 +0200 -@@ -263,6 +263,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la - case DTLS_CTRL_LISTEN: - ret = dtls1_listen(s, parg); - break; -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ /* For library-internal use; checks that the current protocol -+ * is the highest enabled version (according to s->ctx->method, -+ * as version negotiation may have changed s->method). */ -+#if DTLS_MAX_VERSION != DTLS1_VERSION -+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. -+#endif -+ /* Just one protocol version is supported so far; -+ * fail closed if the version is not as expected. */ -+ return s->version == DTLS_MAX_VERSION; - - default: - ret = ssl3_ctrl(s, cmd, larg, parg); -diff -up openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv openssl-1.0.1e/ssl/ssl_err.c ---- a/a/ssl/ssl_err.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 -+++ b/b/ssl/ssl_err.c 2014-10-15 14:39:30.973910121 +0200 -@@ -382,6 +382,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, - {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, - {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, -+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, - {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, - {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, - {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, -@@ -528,6 +529,7 @@ static ERR_STRING_DATA SSL_str_reasons[] - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, -+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, -diff -up openssl-1.0.1e/ssl/ssl.h.fallback-scsv openssl-1.0.1e/ssl/ssl.h ---- a/a/ssl/ssl.h.fallback-scsv 2014-10-15 14:39:30.940909375 +0200 -+++ b/b/ssl/ssl.h 2014-10-15 14:41:46.174962343 +0200 -@@ -641,6 +641,10 @@ - * TLS only.) "Released" buffers are put onto a free-list in the context - * or just freed (depending on the context's setting for freelist_max_len). */ - #define SSL_MODE_RELEASE_BUFFERS 0x00000010L -+/* Send TLS_FALLBACK_SCSV in the ClientHello. -+ * To be set by applications that reconnect with a downgraded protocol -+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ -+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L - - /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, - * they cannot be used to clear bits. */ -@@ -1499,6 +1503,7 @@ - #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE - #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE - #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ -+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ - - #define SSL_ERROR_NONE 0 - #define SSL_ERROR_SSL 1 -@@ -1609,6 +1614,8 @@ - #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 - #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 - -+#define SSL_CTRL_CHECK_PROTO_VERSION 119 -+ - #define DTLSv1_get_timeout(ssl, arg) \ - SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) - #define DTLSv1_handle_timeout(ssl) \ -@@ -2362,6 +2369,7 @@ - #define SSL_R_HTTPS_PROXY_REQUEST 155 - #define SSL_R_HTTP_REQUEST 156 - #define SSL_R_ILLEGAL_PADDING 283 -+#define SSL_R_INAPPROPRIATE_FALLBACK 373 - #define SSL_R_INCONSISTENT_COMPRESSION 340 - #define SSL_R_INVALID_CHALLENGE_LENGTH 158 - #define SSL_R_INVALID_COMMAND 280 -@@ -2508,6 +2516,7 @@ - #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 - #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 - #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 -+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 - #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 - #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 - #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 -diff -up openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv openssl-1.0.1e/ssl/ssl_lib.c ---- a/a/ssl/ssl_lib.c.fallback-scsv 2014-10-15 14:39:30.912908743 +0200 -+++ b/b/ssl/ssl_lib.c 2014-10-15 14:39:30.975910166 +0200 -@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC - - if (sk == NULL) return(0); - q=p; -+ if (put_cb == NULL) -+ put_cb = s->method->put_cipher_by_char; - - for (i=0; i<sk_SSL_CIPHER_num(sk); i++) - { -@@ -1402,24 +1404,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC - s->psk_client_callback == NULL) - continue; - #endif /* OPENSSL_NO_PSK */ -- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); -+ j = put_cb(c,p); - p+=j; - } -- /* If p == q, no ciphers and caller indicates an error. Otherwise -- * add SCSV if not renegotiating. -- */ -- if (p != q && !s->renegotiate) -+ /* If p == q, no ciphers; caller indicates an error. -+ * Otherwise, add applicable SCSVs. */ -+ if (p != q) - { -- static SSL_CIPHER scsv = -+ if (!s->renegotiate) - { -- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -- }; -- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); -- p+=j; -+ static SSL_CIPHER scsv = -+ { -+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -+ }; -+ j = put_cb(&scsv,p); -+ p+=j; - #ifdef OPENSSL_RI_DEBUG -- fprintf(stderr, "SCSV sent by client\n"); -+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); - #endif -- } -+ } -+ -+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) -+ { -+ static SSL_CIPHER scsv = -+ { -+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -+ }; -+ j = put_cb(&scsv,p); -+ p+=j; -+ } -+ } - - return(p-q); - } -@@ -1430,11 +1444,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int i,n; -+ - if (s->s3) - s->s3->send_connection_binding = 0; - - n=ssl_put_cipher_by_char(s,NULL,NULL); -- if ((num%n) != 0) -+ if (n == 0 || (num%n) != 0) - { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - return(NULL); -@@ -1449,7 +1464,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe - - for (i=0; i<num; i+=n) - { -- /* Check for SCSV */ -+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ - if (s->s3 && (n != 3 || !p[0]) && - (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (p[n-1] == (SSL3_CK_SCSV & 0xff))) -@@ -1469,6 +1484,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe - continue; - } - -+ /* Check for TLS_FALLBACK_SCSV */ -+ if ((n != 3 || !p[0]) && -+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && -+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) -+ { -+ /* The SCSV indicates that the client previously tried a higher version. -+ * Fail if the current version is an unexpected downgrade. */ -+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) -+ { -+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); -+ if (s->s3) -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); -+ goto err; -+ } -+ continue; -+ } -+ - c=ssl_get_cipher_by_char(s,p); - p+=n; - if (c != NULL) -diff -up openssl-1.0.1e/ssl/ssl3.h.fallback-scsv openssl-1.0.1e/ssl/ssl3.h ---- a/a/ssl/ssl3.h.fallback-scsv 2014-10-15 14:39:30.949909579 +0200 -+++ b/b/ssl/ssl3.h 2014-10-15 14:39:30.975910166 +0200 -@@ -128,9 +128,14 @@ - extern "C" { - #endif - --/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ -+/* Signalling cipher suite value from RFC 5746 -+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ - #define SSL3_CK_SCSV 0x030000FF - -+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 -+ * (TLS_FALLBACK_SCSV) */ -+#define SSL3_CK_FALLBACK_SCSV 0x03005600 -+ - #define SSL3_CK_RSA_NULL_MD5 0x03000001 - #define SSL3_CK_RSA_NULL_SHA 0x03000002 - #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 -diff -up openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv openssl-1.0.1e/ssl/s2_lib.c ---- a/a/ssl/s2_lib.c.fallback-scsv 2014-10-15 14:39:30.901908495 +0200 -+++ b/b/ssl/s2_lib.c 2014-10-15 14:39:30.975910166 +0200 -@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar - case SSL_CTRL_GET_SESSION_REUSED: - ret=s->hit; - break; -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); - default: - break; - } -@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI - if (p != NULL) - { - l=c->id; -- if ((l & 0xff000000) != 0x02000000) return(0); -+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); - p[0]=((unsigned char)(l>>16L))&0xFF; - p[1]=((unsigned char)(l>> 8L))&0xFF; - p[2]=((unsigned char)(l ))&0xFF; -diff -up openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv openssl-1.0.1e/ssl/s23_clnt.c ---- a/a/ssl/s23_clnt.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 -+++ b/b/ssl/s23_clnt.c 2014-10-15 14:39:30.975910166 +0200 -@@ -715,6 +715,9 @@ static int ssl23_get_server_hello(SSL *s - goto err; - } - -+ /* ensure that TLS_MAX_VERSION is up-to-date */ -+ OPENSSL_assert(s->version <= TLS_MAX_VERSION); -+ - if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) - { - /* fatal alert */ -diff -up openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv openssl-1.0.1e/ssl/s23_srvr.c ---- a/a/ssl/s23_srvr.c.fallback-scsv 2014-10-15 14:39:30.966909962 +0200 -+++ b/b/ssl/s23_srvr.c 2014-10-15 14:39:30.976910188 +0200 -@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s) - } - } - -+ /* ensure that TLS_MAX_VERSION is up-to-date */ -+ OPENSSL_assert(s->version <= TLS_MAX_VERSION); -+ - #ifdef OPENSSL_FIPS - if (FIPS_mode() && (s->version < TLS1_VERSION)) - { -diff -up openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv openssl-1.0.1e/ssl/s3_enc.c ---- a/a/ssl/s3_enc.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 -+++ b/b/ssl/s3_enc.c 2014-10-15 14:39:30.976910188 +0200 -@@ -892,7 +892,7 @@ int ssl3_alert_code(int code) - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); -+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); - default: return(-1); - } - } -- -diff -up openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv openssl-1.0.1e/ssl/s3_lib.c ---- a/a/ssl/s3_lib.c.fallback-scsv 2014-10-15 14:39:30.941909398 +0200 -+++ b/b/ssl/s3_lib.c 2014-10-15 14:39:30.976910188 +0200 -@@ -3350,6 +3350,33 @@ - #endif - - #endif /* !OPENSSL_NO_TLSEXT */ -+ -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ /* For library-internal use; checks that the current protocol -+ * is the highest enabled version (according to s->ctx->method, -+ * as version negotiation may have changed s->method). */ -+ if (s->version == s->ctx->method->version) -+ return 1; -+ /* Apparently we're using a version-flexible SSL_METHOD -+ * (not at its highest protocol version). */ -+ if (s->ctx->method->version == SSLv23_method()->version) -+ { -+#if TLS_MAX_VERSION != TLS1_2_VERSION -+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION. -+#endif -+ if (!(s->options & SSL_OP_NO_TLSv1_2)) -+ return s->version == TLS1_2_VERSION; -+ if (!(s->options & SSL_OP_NO_TLSv1_1)) -+ return s->version == TLS1_1_VERSION; -+ if (!(s->options & SSL_OP_NO_TLSv1)) -+ return s->version == TLS1_VERSION; -+ if (!(s->options & SSL_OP_NO_SSLv3)) -+ return s->version == SSL3_VERSION; -+ if (!(s->options & SSL_OP_NO_SSLv2)) -+ return s->version == SSL2_VERSION; -+ } -+ return 0; /* Unexpected state; fail closed. */ -+ - default: - break; - } -@@ -3709,6 +3736,7 @@ - break; - #endif - #endif -+ - default: - return(0); - } -@@ -4279,4 +4307,3 @@ - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; - } -- -diff -up openssl-1.0.1e/ssl/tls1.h.fallback-scsv openssl-1.0.1e/ssl/tls1.h ---- a/a/ssl/tls1.h.fallback-scsv 2014-10-15 14:39:30.775905650 +0200 -+++ b/b/ssl/tls1.h 2014-10-15 14:39:30.976910188 +0200 -@@ -159,17 +159,19 @@ extern "C" { - - #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 - -+#define TLS1_VERSION 0x0301 -+#define TLS1_1_VERSION 0x0302 - #define TLS1_2_VERSION 0x0303 --#define TLS1_2_VERSION_MAJOR 0x03 --#define TLS1_2_VERSION_MINOR 0x03 -+#define TLS_MAX_VERSION TLS1_2_VERSION -+ -+#define TLS1_VERSION_MAJOR 0x03 -+#define TLS1_VERSION_MINOR 0x01 - --#define TLS1_1_VERSION 0x0302 - #define TLS1_1_VERSION_MAJOR 0x03 - #define TLS1_1_VERSION_MINOR 0x02 - --#define TLS1_VERSION 0x0301 --#define TLS1_VERSION_MAJOR 0x03 --#define TLS1_VERSION_MINOR 0x01 -+#define TLS1_2_VERSION_MAJOR 0x03 -+#define TLS1_2_VERSION_MINOR 0x03 - - #define TLS1_get_version(s) \ - ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) -@@ -187,6 +189,7 @@ extern "C" { - #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ - #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ - #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ -+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ - #define TLS1_AD_USER_CANCELLED 90 - #define TLS1_AD_NO_RENEGOTIATION 100 - /* codes 110-114 are from RFC3546 */ -diff -up openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv openssl-1.0.1e/ssl/t1_enc.c ---- a/a/ssl/t1_enc.c.fallback-scsv 2014-10-15 14:39:30.936909285 +0200 -+++ b/b/ssl/t1_enc.c 2014-10-15 14:39:30.977910211 +0200 -@@ -1265,6 +1265,7 @@ int tls1_alert_code(int code) - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); -+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); - #if 0 /* not appropriate for TLS, not used for DTLS */ - case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return - (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); diff --git a/external/openssl/CVE-2014-3567.patch b/external/openssl/CVE-2014-3567.patch deleted file mode 100644 index db158f3..0000000 --- a/external/openssl/CVE-2014-3567.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c ---- a/a/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200 -+++ b/b/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200 -@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co - HMAC_Final(&hctx, tick_hmac, NULL); - HMAC_CTX_cleanup(&hctx); - if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) -+ { -+ EVP_CIPHER_CTX_cleanup(&ctx); - return 2; -+ } - /* Attempt to decrypt session data */ - /* Move p after IV to start of encrypted ticket, update length */ - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index cbb7745..cec09d2 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -91,26 +91,6 @@ $(eval $(call gb_UnpackedTarball_fix_end_of_line,openssl,\ )) $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ - external/openssl/CVE-2013-6449.patch \ - external/openssl/CVE-2013-6450.patch \ - external/openssl/CVE-2013-4353.patch \ - external/openssl/CVE-2014-0160.patch \ - external/openssl/CVE-2010-5298.patch \ - external/openssl/CVE-2014-0195.patch \ - external/openssl/CVE-2014-0198.patch \ - external/openssl/CVE-2014-0221.patch \ - external/openssl/CVE-2014-0224.patch \ - external/openssl/CVE-2014-3470.patch \ - external/openssl/CVE-2014-3505.patch \ - external/openssl/CVE-2014-3506.patch \ - external/openssl/CVE-2014-3507.patch \ - external/openssl/CVE-2014-3508.patch \ - external/openssl/CVE-2014-3509.patch \ - external/openssl/CVE-2014-3510.patch \ - external/openssl/CVE-2014-3511.patch \ - external/openssl/CVE-2014-3513.patch \ - external/openssl/CVE-2014-3567.patch \ - external/openssl/CVE-2014-3566.patch \ $(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \ $(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \ $(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \ commit 4e6ab0aea8473ba36c692c6fb1e15fce7e37b5ef Author: Caolán McNamara <caol...@redhat.com> Date: Wed Feb 25 10:50:59 2015 +0000 check if reads were successful Reviewed-on: https://gerrit.libreoffice.org/14631 Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit f974db5d89eacf0c23e303c22c62972014e9db16) Conflicts: hwpfilter/source/hiodev.cxx hwpfilter/source/hiodev.h hwpfilter/source/hwpfile.cxx Reviewed-on: https://gerrit.libreoffice.org/14654 Tested-by: Michael Stahl <mst...@redhat.com> Reviewed-by: Michael Stahl <mst...@redhat.com> (cherry picked from commit f2d49715c176c80c4b0fa3a7799d610eb5afec88) (cherry picked from commit 49c4b067f5c209b40d06804c2399fb1706b92282) Conflicts: hwpfilter/source/drawdef.h hwpfilter/source/hiodev.h Change-Id: I69ab0ca9c017c9a1c10d18fd850f32a92c641d12 diff --git a/hwpfilter/source/drawdef.h b/hwpfilter/source/drawdef.h index c5861e7..7f310db 100644 --- a/hwpfilter/source/drawdef.h +++ b/hwpfilter/source/drawdef.h @@ -77,11 +77,11 @@ struct BAREHWPDOProperty int line_pstyle; int line_hstyle; int line_tstyle; - DWORD line_color; + unsigned int line_color; hunit line_width; - DWORD fill_color; + unsigned int fill_color; uint pattern_type; - DWORD pattern_color; + unsigned int pattern_color; hunit hmargin; hunit vmargin; uint flag; @@ -127,14 +127,14 @@ struct RotationProperty */ struct HWPDOProperty { - int line_pstyle; /* ¼± Áß°£ ¸ð¾ç */ - int line_hstyle; /* ³¡ È»ìÇ¥ ¸ð¾ç */ - int line_tstyle; /* ½ÃÀÛ ¸ð¾ç */ - DWORD line_color; + int line_pstyle; /* ì ì¤ê° 모ì */ + int line_hstyle; /* ë íì´í 모ì */ + int line_tstyle; /* ìì 모ì */ + unsigned int line_color; hunit line_width; - DWORD fill_color; + unsigned int fill_color; uint pattern_type; - DWORD pattern_color; + unsigned int pattern_color; hunit hmargin; hunit vmargin; uint flag; diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h index de8afcf..46f3bc3 100644 --- a/hwpfilter/source/drawing.h +++ b/hwpfilter/source/drawing.h @@ -124,7 +124,6 @@ inline bool HAS_PAT(HWPDrawingObject * hdo) HAVE_GRADATION(hdo) || HAVE_BITMAP_PATTERN(hdo); } - static void SetHdoParallRgn(HWPDrawingObject * hdo, int width, int height) { hdo->property.parall.pt[0].x = 0; @@ -135,37 +134,37 @@ static void SetHdoParallRgn(HWPDrawingObject * hdo, int width, int height) hdo->property.parall.pt[2].y = height; } - static bool SkipPrivateBlock(int type) { int n; if (type == OBJRET_FILE_NO_PRIVATE_BLOCK) { - n = hmem->read4b(); + if (!hmem->read4b(n)) + return false; if (hmem->state() || hmem->skipBlock(n) != n) return false; } - n = hmem->read4b(); + if (!hmem->read4b(n)) + return false; if (hmem->state()) return false; return hmem->skipBlock(n) == n; } - static int SizeExpected; static int SizeRead; static int ReadSizeField(int size) { SizeExpected = size; - SizeRead = hmem->read4b(); + if (!hmem->read4b(SizeRead)) + return -1; if (hmem->state()) return -1; return SizeRead; } - static bool SkipUnusedField(void) { return (SizeExpected < SizeRead) ? @@ -179,62 +178,93 @@ static bool SkipUnusedField(void) #define HDOFILE_HAS_NEXT 0x01 #define HDOFILE_HAS_CHILD 0x02 -static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info) +static bool LoadCommonHeader(HWPDrawingObject * hdo, unsigned short * link_info) { uint size, common_size; - if( !hmem ) - return FALSE; - size = hmem->read4b(); + if (!hmem) + return false; + if (!hmem->read4b(size)) + return false; if (hmem->state()) - { - return FALSE; - } + return false; if (size < HDOFILE_COMMON_SIZE) - { - return FALSE; - } + return false; common_size = HDOFILE_COMMON_SIZE; - hdo->type = hmem->read2b(); - *link_info = sal::static_int_cast<WORD>(hmem->read2b()); - hdo->offset.x = hmem->read4b(); - hdo->offset.y = hmem->read4b(); - hdo->extent.w = hmem->read4b(); - hdo->extent.h = hmem->read4b(); - hdo->offset2.x = hmem->read4b(); - hdo->offset2.y = hmem->read4b(); + unsigned short tmp16; + if (!hmem->read2b(tmp16)) + return false; + hdo->type = tmp16; + if (!hmem->read2b(tmp16)) + return false; + *link_info = tmp16; + if (!hmem->read4b(hdo->offset.x)) + return false; + if (!hmem->read4b(hdo->offset.y)) + return false; + if (!hmem->read4b(hdo->extent.w)) + return false; + if (!hmem->read4b(hdo->extent.h)) + return false; + if (!hmem->read4b(hdo->offset2.x)) + return false; + if (!hmem->read4b(hdo->offset2.y)) + return false; if (hmem->state()) - return FALSE; + return false; - hdo->vrect.x = hmem->read4b(); - hdo->vrect.y = hmem->read4b(); - hdo->vrect.w = hmem->read4b(); - hdo->vrect.h = hmem->read4b(); + if (!hmem->read4b(hdo->vrect.x)) + return false; + if (!hmem->read4b(hdo->vrect.y)) + return false; + if (!hmem->read4b(hdo->vrect.w)) + return false; + if (!hmem->read4b(hdo->vrect.h)) + return false; // read bare property 44 bytes - hdo->property.line_pstyle = hmem->read4b(); - hdo->property.line_hstyle = hmem->read4b(); - hdo->property.line_tstyle = hmem->read4b(); - hdo->property.line_color = hmem->read4b(); - hdo->property.line_width = (hunit) hmem->read4b(); - hdo->property.fill_color = hmem->read4b(); - hdo->property.pattern_type = hmem->read4b(); - hdo->property.pattern_color = hmem->read4b(); - hdo->property.hmargin = (hunit) hmem->read4b(); - hdo->property.vmargin = (hunit) hmem->read4b(); - hdo->property.flag = hmem->read4b(); -// read ratation property 32 bytes + if (!hmem->read4b(hdo->property.line_pstyle)) + return false; + if (!hmem->read4b(hdo->property.line_hstyle)) + return false; + if (!hmem->read4b(hdo->property.line_tstyle)) + return false; + if (!hmem->read4b(hdo->property.line_color)) + return false; + unsigned int tmp32; + if (!hmem->read4b(tmp32)) + return false; + hdo->property.line_width = static_cast<hunit>(tmp32); + if (!hmem->read4b(hdo->property.fill_color)) + return false; + if (!hmem->read4b(hdo->property.pattern_type)) + return false; + if (!hmem->read4b(hdo->property.pattern_color)) + return false; + if (!hmem->read4b(tmp32)) + return false; + hdo->property.hmargin = static_cast<hunit>(tmp32); + if (!hmem->read4b(tmp32)) + return false; + hdo->property.vmargin = static_cast<hunit>(tmp32); + if (!hmem->read4b(hdo->property.flag)) + return false; +// read rotation property 32 bytes if ((size >= common_size + 32) && (hdo->property.flag & HWPDO_FLAG_ROTATION)) { - hdo->property.rot_originx = hmem->read4b(); - hdo->property.rot_originy = hmem->read4b(); - for (int ii = 0; ii < 3; ii++) + if (!hmem->read4b(hdo->property.rot_originx)) + return false; + if (!hmem->read4b(hdo->property.rot_originy)) + return false; + for (int ii = 0; ii < 3; ++ii) { - hdo->property.parall.pt[ii].x = hmem->read4b(); - hdo->property.parall.pt[ii].y = hmem->read4b(); + if (!hmem->read4b(hdo->property.parall.pt[ii].x)) + return false; + if (!hmem->read4b(hdo->property.parall.pt[ii].y)) + return false; } common_size += 32; } @@ -245,13 +275,20 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info) if ((size >= common_size + 28) && (hdo->property.flag & HWPDO_FLAG_GRADATION)) { - hdo->property.fromcolor = hmem->read4b(); - hdo->property.tocolor = hmem->read4b(); - hdo->property.gstyle = hmem->read4b(); - hdo->property.angle = hmem->read4b(); - hdo->property.center_x = hmem->read4b(); - hdo->property.center_y = hmem->read4b(); - hdo->property.nstep = hmem->read4b(); + if (!hmem->read4b(hdo->property.fromcolor)) + return false; + if (!hmem->read4b(hdo->property.tocolor)) + return false; + if (!hmem->read4b(hdo->property.gstyle)) + return false; + if (!hmem->read4b(hdo->property.angle)) + return false; + if (!hmem->read4b(hdo->property.center_x)) + return false; + if (!hmem->read4b(hdo->property.center_y)) + return false; + if (!hmem->read4b(hdo->property.nstep)) + return false; common_size += 28; } @@ -259,54 +296,67 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info) if ((size >= common_size + 278) && \ (hdo->property.flag & HWPDO_FLAG_BITMAP)) { - hdo->property.offset1.x = hmem->read4b(); - hdo->property.offset1.y = hmem->read4b(); - hdo->property.offset2.x = hmem->read4b(); - hdo->property.offset2.y = hmem->read4b(); + if (!hmem->read4b(hdo->property.offset1.x)) + return false; + if (!hmem->read4b(hdo->property.offset1.y)) + return false; + if (!hmem->read4b(hdo->property.offset2.x)) + return false; + if (!hmem->read4b(hdo->property.offset2.y)) + return false; if (!hmem->readBlock(hdo->property.szPatternFile, 261)) - return FALSE; - hdo->property.pictype = sal::static_int_cast<char>(hmem->read1b()); + return false; + if (!hmem->read1b(hdo->property.pictype)) + return false; common_size += 278; } if( ( size >= common_size + 3 ) && ( hdo->property.flag & HWPDO_FLAG_WATERMARK ) ) //if( ( size >= common_size ) && ( hdo->property.flag >> 20 & 0x01 ) ) { - if( size - common_size >= 5 ) - hmem->skipBlock( 2 ); - hdo->property.luminance = hmem->read1b(); - hdo->property.contrast = hmem->read1b(); - hdo->property.greyscale = hmem->read1b(); - common_size += 5; - } - else{ - hdo->property.luminance = 0; - hdo->property.contrast = 0; - hdo->property.greyscale = 0; + if (size - common_size >= 5) + hmem->skipBlock(2); + unsigned char tmp8; + if (!hmem->read1b(tmp8)) + return false; + hdo->property.luminance = tmp8; + if (!hmem->read1b(tmp8)) + return false; + hdo->property.contrast = tmp8; + if (!hmem->read1b(tmp8)) + return false; + hdo->property.greyscale = tmp8; + + common_size += 5; + } + else + { + hdo->property.luminance = 0; + hdo->property.contrast = 0; + hdo->property.greyscale = 0; } - hdo->property.pPara = 0L; + hdo->property.pPara = 0L; - if( ( size > common_size ) && (hdo->property.flag & HWPDO_FLAG_AS_TEXTBOX) ) - { - hmem->skipBlock(8); - hdo->property.pPara = LoadParaList(); - if( hdo->property.pPara ) - return TRUE; - else - return FALSE; + if( ( size > common_size ) && (hdo->property.flag & HWPDO_FLAG_AS_TEXTBOX) ) + { + hmem->skipBlock(8); + hdo->property.pPara = LoadParaList(); + if( hdo->property.pPara ) + return true; + else + return false; } - if( size <= common_size ) - return TRUE; + if (size <= common_size) + return true; return hmem->skipBlock(size - common_size ) != 0; } - static HWPDrawingObject *LoadDrawingObject(void) { HWPDrawingObject *hdo, *head, *prev; int res; - WORD link_info; + unsigned short link_info; head = prev = NULL; do @@ -365,6 +415,11 @@ static HWPDrawingObject *LoadDrawingObject(void) if (hdo != NULL) { + if (hdo->type < 0 || hdo->type >= HWPDO_NITEMS) + { + hdo->type = HWPDO_RECT; + } + HWPDOFunc(hdo, OBJFUNC_FREE, NULL, 0); delete hdo; } @@ -380,17 +435,25 @@ static HWPDrawingObject *LoadDrawingObject(void) static bool LoadDrawingObjectBlock(Picture * pic) { - int size = hmem->read4b(); + int size; + if (!hmem->read4b(size)) + return false; if (hmem->state() || size < HDOFILE_HEADER_SIZE) return false; - pic->picinfo.picdraw.zorder = hmem->read4b(); - pic->picinfo.picdraw.mbrcnt = hmem->read4b(); - pic->picinfo.picdraw.vrect.x = hmem->read4b(); - pic->picinfo.picdraw.vrect.y = hmem->read4b(); - pic->picinfo.picdraw.vrect.w = hmem->read4b(); - pic->picinfo.picdraw.vrect.h = hmem->read4b(); + if (!hmem->read4b(pic->picinfo.picdraw.zorder)) + return false; + if (!hmem->read4b(pic->picinfo.picdraw.mbrcnt)) + return false; + if (!hmem->read4b(pic->picinfo.picdraw.vrect.x)) + return false; + if (!hmem->read4b(pic->picinfo.picdraw.vrect.y)) + return false; + if (!hmem->read4b(pic->picinfo.picdraw.vrect.w)) + return false; + if (!hmem->read4b(pic->picinfo.picdraw.vrect.h)) + return false; if (size > HDOFILE_HEADER_SIZE && !hmem->skipBlock(size - HDOFILE_HEADER_SIZE)) @@ -402,9 +465,7 @@ static bool LoadDrawingObjectBlock(Picture * pic) return true; } - // object manipulation function - static int HWPDODefaultFunc(int , HWPDrawingObject * , int cmd, void *, int) { @@ -413,7 +474,6 @@ HWPDODefaultFunc(int , HWPDrawingObject * , int cmd, void *, int) return OBJRET_FILE_OK; } - static int HWPDOLineFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv) { @@ -423,7 +483,8 @@ HWPDOLineFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv) case OBJFUNC_LOAD: if (ReadSizeField(4) < 4) return OBJRET_FILE_ERROR; - hdo->u.line_arc.flip = hmem->read4b(); + if (!hmem->read4b(hdo->u.line_arc.flip)) + return OBJRET_FILE_ERROR; if (hmem->state()) return OBJRET_FILE_ERROR; if (!SkipUnusedField()) @@ -466,11 +527,14 @@ int cmd, void *argp, int argv) case OBJFUNC_LOAD: if (ReadSizeField(16) < 16) return OBJRET_FILE_ERROR; - hdo->u.arc.radial[0].x = hmem->read4b(); - hdo->u.arc.radial[0].y = hmem->read4b(); - hdo->u.arc.radial[1].x = hmem->read4b(); - hdo->u.arc.radial[1].y = hmem->read4b(); - + if (!hmem->read4b(hdo->u.arc.radial[0].x)) + return OBJRET_FILE_ERROR; + if (!hmem->read4b(hdo->u.arc.radial[0].y)) + return OBJRET_FILE_ERROR; + if (!hmem->read4b(hdo->u.arc.radial[1].x)) + return OBJRET_FILE_ERROR; + if (!hmem->read4b(hdo->u.arc.radial[1].y)) + return OBJRET_FILE_ERROR; if (ReadSizeField(0) < 0) return OBJRET_FILE_ERROR; break; @@ -491,7 +555,8 @@ HWPDOArcFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv) case OBJFUNC_LOAD: if (ReadSizeField(4) < 4) return OBJRET_FILE_ERROR; - hdo->u.line_arc.flip = hmem->read4b(); + if (!hmem->read4b(hdo->u.line_arc.flip)) + return OBJRET_FILE_ERROR; if (hmem->state()) return OBJRET_FILE_ERROR; if (!SkipUnusedField()) @@ -532,7 +597,8 @@ int cmd, void *argp, int argv) hdo->u.freeform.pt = 0; if (ReadSizeField(4) < 4) return OBJRET_FILE_ERROR; - hdo->u.freeform.npt = hmem->read4b(); + if (!hmem->read4b(hdo->u.freeform.npt)) + return OBJRET_FILE_ERROR; if (hmem->state()) return OBJRET_FILE_ERROR; if (!SkipUnusedField()) @@ -551,11 +617,16 @@ int cmd, void *argp, int argv) hdo->u.freeform.npt = 0; return OBJRET_FILE_ERROR; } - for (int ii = 0; ii < hdo->u.freeform.npt; ii++) + for (int ii = 0; ii < hdo->u.freeform.npt; ++ii) { - hdo->u.freeform.pt[ii].x = hmem->read4b(); - hdo->u.freeform.pt[ii].y = hmem->read4b(); + bool bFailure = false; + if (!hmem->read4b(hdo->u.freeform.pt[ii].x)) + bFailure = true; + if (!hmem->read4b(hdo->u.freeform.pt[ii].y)) + bFailure = true; if (hmem->state()) + bFailure = true; + if (bFailure) { delete[]hdo->u.freeform.pt; hdo->u.freeform.npt = 0; diff --git a/hwpfilter/source/hbox.h b/hwpfilter/source/hbox.h index cde006b..ff449a3 100644 --- a/hwpfilter/source/hbox.h +++ b/hwpfilter/source/hbox.h @@ -71,7 +71,7 @@ struct HBox */ struct SkipData: public HBox { - ulong data_block_len; + uint data_block_len; hchar dummy; char *data_block; @@ -631,7 +631,7 @@ struct Picture: public FBox * follow_block_size is the size information of the Drawing object of hwp. * It's value is greater than 0 if the pictype is PICTYPE_DRAW. */ - ulong follow_block_size; /* ì¶ê°ì ë³´ 길ì´. */ + uint follow_block_size; /* ì¶ê°ì ë³´ 길ì´. */ short dummy1; // to not change structure size */ short dummy2; // to not change structure size */ uchar reserved1; diff --git a/hwpfilter/source/hinfo.cxx b/hwpfilter/source/hinfo.cxx index 98f66a5..ee7654d 100644 --- a/hwpfilter/source/hinfo.cxx +++ b/hwpfilter/source/hinfo.cxx @@ -85,15 +85,34 @@ bool HWPInfo::Read(HWPFile & hwpf) hwpf.Read1b(&paper.paper_direction, 1); /* ì©ì§ ë°©í¥ */ // paper geometry information - paper.paper_height = (short) hwpf.Read2b(); /* ì©ì§ ê¸¸ì´ */ - paper.paper_width = (short) hwpf.Read2b(); /* ì©ì§ ëë¹ */ - paper.top_margin = (short) hwpf.Read2b(); /* ì쪽 ì¬ë°± */ - paper.bottom_margin = (short) hwpf.Read2b(); /* ìë쪽 ì¬ë°± */ - paper.left_margin = (short) hwpf.Read2b(); /* ì¼ìª½ ì¬ë°± */ - paper.right_margin = (short) hwpf.Read2b(); /* ì¤ë¥¸ìª½ ì¬ë°± */ - paper.header_length = (short) hwpf.Read2b(); /* ë¨¸ë¦¬ë§ ê¸¸ì´ */ - paper.footer_length = (short) hwpf.Read2b(); /* ê¼¬ë¦¬ë§ ê¸¸ì´ */ - paper.gutter_length = (short) hwpf.Read2b(); /* ì 본ì¬ë°± */ + unsigned short tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + paper.paper_height = tmp16; /* ì©ì§ ê¸¸ì´ */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.paper_width = tmp16; /* ì©ì§ ëë¹ */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.top_margin = tmp16; /* ì쪽 ì¬ë°± */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.bottom_margin = tmp16; /* ìë쪽 ì¬ë°± */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.left_margin = tmp16; /* ì¼ìª½ ì¬ë°± */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.right_margin = tmp16; /* ì¤ë¥¸ìª½ ì¬ë°± */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.header_length = tmp16; /* ë¨¸ë¦¬ë§ ê¸¸ì´ */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.footer_length = tmp16; /* ê¼¬ë¦¬ë§ ê¸¸ì´ */ + if (!hwpf.Read2b(tmp16)) + return false; + paper.gutter_length = tmp16; /* ì 본ì¬ë°± */ hwpf.Read2b(&readonly, 1); /* ìì½ */ hwpf.Read1b(reserved1, 4); /* ìì½ */ hwpf.Read1b(&chain_info.chain_page_no, 1); /* 쪽 ë²í¸ ì°ê²° 1-ì°ê²°, 0-ìë¡ìì (ì°ê²°ì¸ììì ì¬ì©) */ @@ -109,14 +128,25 @@ bool HWPInfo::Read(HWPFile & hwpf) // footnote hwpf.Read2b(&beginfnnum,1); /* ê°ì£¼ ììë²í¸ */ hwpf.Read2b(&countfn,1); /* ê°ì£¼ ê°¯ì */ - splinetext = (short) hwpf.Read2b(); - splinefn = (short) hwpf.Read2b(); - spfnfn = (short) hwpf.Read2b(); + + if (!hwpf.Read2b(tmp16)) + return false; + splinetext = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + splinefn = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + spfnfn = tmp16; hwpf.Read1b(&fnchar, 1); hwpf.Read1b(&fnlinetype, 1); // border layout for (int ii = 0; ii < 4; ++ii) - bordermargin[ii] = (short) hwpf.Read2b(); + { + if (!hwpf.Read2b(tmp16)) + return false; + bordermargin[ii] = tmp16; + } hwpf.Read2b(&borderline, 1); hwpf.Read1b(&empty_line_hide, 1); @@ -171,12 +201,23 @@ bool HWPSummary::Read(HWPFile & hwpf) bool ParaShape::Read(HWPFile & hwpf) { - pagebreak = 0; - left_margin = (short) hwpf.Read2b(); - right_margin = (short) hwpf.Read2b(); - indent = (short) hwpf.Read2b(); - lspacing = (short) hwpf.Read2b(); - pspacing_next = (short) hwpf.Read2b(); + pagebreak = 0; + unsigned short tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + left_margin = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + right_margin = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + indent = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + lspacing = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + pspacing_next = tmp16; hwpf.Read1b(&condense, 1); hwpf.Read1b(&arrange_type, 1); @@ -184,17 +225,27 @@ bool ParaShape::Read(HWPFile & hwpf) { hwpf.Read1b(&tabs[ii].type, 1); hwpf.Read1b(&tabs[ii].dot_continue, 1); - tabs[ii].position = (short) hwpf.Read2b(); + if (!hwpf.Read2b(tmp16)) + return false; + tabs[ii].position = tmp16; } hwpf.Read1b(&coldef.ncols, 1); hwpf.Read1b(&coldef.separator, 1); - coldef.spacing = (short) hwpf.Read2b(); - coldef.columnlen = (short) hwpf.Read2b(); - coldef.columnlen0 = (short) hwpf.Read2b(); + if (!hwpf.Read2b(tmp16)) + return false; + coldef.spacing = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + coldef.columnlen = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + coldef.columnlen0 = tmp16; hwpf.Read1b(&shade, 1); hwpf.Read1b(&outline, 1); hwpf.Read1b(&outline_continue, 1); - pspacing_prev = (short) hwpf.Read2b(); + if (!hwpf.Read2b(tmp16)) + return false; + pspacing_prev = tmp16; hwpf.Read1b(reserved, 2); return (!hwpf.State()); @@ -203,7 +254,10 @@ bool ParaShape::Read(HWPFile & hwpf) bool CharShape::Read(HWPFile & hwpf) { - size = (short) hwpf.Read2b(); + unsigned short tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + size = tmp16; hwpf.Read1b(font, NLanguage); hwpf.Read1b(ratio, NLanguage); hwpf.Read1b(space, NLanguage); diff --git a/hwpfilter/source/hiodev.cxx b/hwpfilter/source/hiodev.cxx index 5de1b5c..af51a9b 100644 --- a/hwpfilter/source/hiodev.cxx +++ b/hwpfilter/source/hiodev.cxx @@ -64,14 +64,14 @@ int HIODev::read1b(void *ptr, int nmemb) return -1; for (ii = 0; ii < nmemb; ii++) { - p[ii] = sal::static_int_cast<uchar>(read1b()); + if (!read1b(p[ii])) + break; if (state()) break; } return ii; } - int HIODev::read2b(void *ptr, int nmemb) { ushort *p = (ushort *) ptr; @@ -81,24 +81,25 @@ int HIODev::read2b(void *ptr, int nmemb) return -1; for (ii = 0; ii < nmemb; ii++) { - p[ii] = sal::static_int_cast<uchar>(read2b()); + if (!read2b(p[ii])) + break; if (state()) break; } return ii; } - int HIODev::read4b(void *ptr, int nmemb) { - ulong *p = (ulong *) ptr; + uint *p = (uint *) ptr; int ii; if (state()) return -1; for (ii = 0; ii < nmemb; ii++) { - p[ii] = read4b(); + if (!read4b(p[ii])) + break; if (state()) break; } @@ -179,39 +180,57 @@ bool HStreamIODev::setCompressed(bool flag) #define GZREAD(ptr,len) (_gzfp?gz_read(_gzfp,ptr,len):0) -int HStreamIODev::read1b() +bool HStreamIODev::read1b(unsigned char &out) { int res = (compressed) ? GZREAD(rBuf, 1) : _stream.readBytes(rBuf, 1); - if (res <= 0) - return -1; - else - return (unsigned char) rBuf[0]; + if (res < 1) + return false; + + out = (unsigned char)rBuf[0]; + return true; } +bool HStreamIODev::read1b(char &out) +{ + unsigned char tmp8; + if (!read1b(tmp8)) + return false; + out = tmp8; + return true; +} -int HStreamIODev::read2b() +bool HStreamIODev::read2b(unsigned short &out) { int res = (compressed) ? GZREAD(rBuf, 2) : _stream.readBytes(rBuf, 2); - if (res <= 0) - return -1; - else - return ((unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]); -} + if (res < 2) + return false; + out = ((unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]); + return true; +} -long HStreamIODev::read4b() +bool HStreamIODev::read4b(unsigned int &out) { int res = (compressed) ? GZREAD(rBuf, 4) : _stream.readBytes(rBuf, 4); - if (res <= 0) - return -1; - else - return ((unsigned char) rBuf[3] << 24 | (unsigned char) rBuf[2] << 16 | - (unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]); + if (res < 4) + return false; + + out = ((unsigned char) rBuf[3] << 24 | (unsigned char) rBuf[2] << 16 | + (unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]); + return true; } +bool HStreamIODev::read4b(int &out) +{ + unsigned int tmp32; + if (!read4b(tmp32)) + return false; + out = tmp32; + return true; +} int HStreamIODev::readBlock(void *ptr, int size) { @@ -223,7 +242,6 @@ int HStreamIODev::readBlock(void *ptr, int size) return count; } - int HStreamIODev::skipBlock(int size) { if (compressed){ @@ -298,36 +316,56 @@ bool HMemIODev::setCompressed(bool ) return false; } - -int HMemIODev::read1b() +bool HMemIODev::read1b(unsigned char &out) { if (pos <= length) - return ptr[pos++]; - else - return 0; + { + out = ptr[pos++]; + return true; + } + return false; } +bool HMemIODev::read1b(char &out) +{ + unsigned char tmp8; + if (!read1b(tmp8)) + return false; + out = tmp8; + return true; +} -int HMemIODev::read2b() +bool HMemIODev::read2b(unsigned short &out) { pos += 2; if (pos <= length) - return ptr[pos - 1] << 8 | ptr[pos - 2]; - else - return 0; + { + out = ptr[pos - 1] << 8 | ptr[pos - 2]; + return true; + } + return false; } - -long HMemIODev::read4b() +bool HMemIODev::read4b(unsigned int &out) { pos += 4; if (pos <= length) - return DWORD(ptr[pos - 1] << 24 | ptr[pos - 2] << 16 | - ptr[pos - 3] << 8 | ptr[pos - 4]); - else - return 0; + { + out = static_cast<unsigned int>(ptr[pos - 1] << 24 | ptr[pos - 2] << 16 | + ptr[pos - 3] << 8 | ptr[pos - 4]); + return true; + } + return false; } +bool HMemIODev::read4b(int &out) +{ + unsigned int tmp32; + if (!read4b(tmp32)) + return false; + out = tmp32; + return true; +} int HMemIODev::readBlock(void *p, int size) { @@ -338,7 +376,6 @@ int HMemIODev::readBlock(void *p, int size) return size; } - int HMemIODev::skipBlock(int size) { if (length < pos + size) diff --git a/hwpfilter/source/hiodev.h b/hwpfilter/source/hiodev.h index ac0ded7..e71eb47 100644 --- a/hwpfilter/source/hiodev.h +++ b/hwpfilter/source/hiodev.h @@ -46,9 +46,11 @@ class DLLEXPORT HIODev /* gzip routine wrapper */ virtual bool setCompressed( bool ) = 0; - virtual int read1b() = 0; - virtual int read2b() = 0; - virtual long read4b() = 0; + virtual bool read1b(unsigned char &out) = 0; + virtual bool read1b(char &out) = 0; + virtual bool read2b(unsigned short &out) = 0; + virtual bool read4b(unsigned int &out) = 0; + virtual bool read4b(int &out) = 0; virtual int readBlock( void *ptr, int size ) = 0; virtual int skipBlock( int size ) = 0; @@ -59,7 +61,7 @@ class DLLEXPORT HIODev struct gz_stream; -/* ÆÄÀÏ ÀÔÃâ·Â ÀåÄ¡ */ +/* ç£æ èçªå¾ èå¸ */ /** * This controls the HStream given by constructor @@ -68,7 +70,7 @@ struct gz_stream; class HStreamIODev : public HIODev { private: -/* zlibÀ¸·Î ¾ÐÃàÀ» Ç®±â À§ÇÑ ÀÚ·á ±¸Á¶ */ +/* zlibç稽 ç¬éè ç±å¥ æ¯å» åæ å§¥ç¹ */ gz_stream *_gzfp; HStream& _stream; public: @@ -98,17 +100,19 @@ class HStreamIODev : public HIODev * Read one byte from stream */ using HIODev::read1b; - virtual int read1b(); + virtual bool read1b(unsigned char &out); + virtual bool read1b(char &out); /** * Read 2 bytes from stream */ using HIODev::read2b; - virtual int read2b(); + virtual bool read2b(unsigned short &out); /** * Read 4 bytes from stream */ using HIODev::read4b; - virtual long read4b(); + virtual bool read4b(unsigned int &out); + virtual bool read4b(int &out); /** * Read some bytes from stream to given pointer as amount of size */ @@ -124,7 +128,7 @@ class HStreamIODev : public HIODev virtual void init(); }; -/* ¸Þ¸ð¸® ÀÔÃâ·Â ÀåÄ¡ */ +/* äºä¹è» èçªå¾ èå¸ */ /** * The HMemIODev class controls the Input/Output device. * @short Memory IO device @@ -144,16 +148,18 @@ class HMemIODev : public HIODev /* gzip routine wrapper */ virtual bool setCompressed( bool ); using HIODev::read1b; - virtual int read1b(); + virtual bool read1b(unsigned char &out); + virtual bool read1b(char &out); using HIODev::read2b; - virtual int read2b(); + virtual bool read2b(unsigned short &out); using HIODev::read4b; - virtual long read4b(); + virtual bool read4b(unsigned int &out); + virtual bool read4b(int &out); virtual int readBlock( void *ptr, int size ); virtual int skipBlock( int size ); protected: virtual void init(); }; -#endif /* _HIODEV_H_*/ +#endif // INCLUDED_HWPFILTER_SOURCE_HIODEV_H /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/hwpfilter/source/hpara.cxx b/hwpfilter/source/hpara.cxx index bc17e0c..66abf78 100644 --- a/hwpfilter/source/hpara.cxx +++ b/hwpfilter/source/hpara.cxx @@ -31,14 +31,28 @@ bool LineInfo::Read(HWPFile & hwpf, HWPPara *pPara) { - pos = sal::static_int_cast<unsigned short>(hwpf.Read2b()); - space_width = (short) hwpf.Read2b(); - height = (short) hwpf.Read2b(); + if (!hwpf.Read2b(pos)) + return false; + unsigned short tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + space_width = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + height = tmp16; // internal information - pgy = (short) hwpf.Read2b(); - sx = (short) hwpf.Read2b(); - psx = (short) hwpf.Read2b(); - pex = (short) hwpf.Read2b(); + if (!hwpf.Read2b(tmp16)) + return false; + pgy = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + sx = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + psx = tmp16; + if (!hwpf.Read2b(tmp16)) + return false; + pex = tmp16; height_sp = 0; if( pex >> 15 & 0x01 ) @@ -210,7 +224,10 @@ ParaShape *HWPPara::GetParaShape(void) HBox *HWPPara::readHBox(HWPFile & hwpf) { - hchar hh = sal::static_int_cast<hchar>(hwpf.Read2b()); + hchar hh; + if (!hwpf.Read2b(hh)) + return 0; + HBox *hbox = 0; if (hwpf.State() != HWP_NoError) ... etc. - the rest is truncated
_______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits