[Libreoffice-commits] core.git: Branch 'distro/collabora/cp-4.2' - 56 commits - download.lst external/openssl hwpfilter/source
Andras Timar
andras.timar at collabora.com
Fri Mar 20 05:51:14 PDT 2015
download.lst | 2
external/openssl/CVE-2010-5298.patch | 21 -
external/openssl/CVE-2013-4353.patch | 21 -
external/openssl/CVE-2013-6449.patch | 111 ------
external/openssl/CVE-2013-6450.patch | 85 -----
external/openssl/CVE-2014-0160.patch | 108 ------
external/openssl/CVE-2014-0195.patch | 36 --
external/openssl/CVE-2014-0198.patch | 33 -
external/openssl/CVE-2014-0221.patch | 34 --
external/openssl/CVE-2014-0224.patch | 88 -----
external/openssl/CVE-2014-3470.patch | 26 -
external/openssl/CVE-2014-3505.patch | 52 ---
external/openssl/CVE-2014-3506.patch | 87 -----
external/openssl/CVE-2014-3507.patch | 53 ---
external/openssl/CVE-2014-3508.patch | 138 --------
external/openssl/CVE-2014-3509.patch | 45 --
external/openssl/CVE-2014-3510.patch | 86 -----
external/openssl/CVE-2014-3511.patch | 85 -----
external/openssl/CVE-2014-3513.patch | 186 -----------
external/openssl/CVE-2014-3566.patch | 466 ----------------------------
external/openssl/CVE-2014-3567.patch | 14
external/openssl/UnpackedTarball_openssl.mk | 20 -
hwpfilter/source/attributes.cxx | 1
hwpfilter/source/cspline.cxx | 3
hwpfilter/source/drawdef.h | 18 -
hwpfilter/source/drawing.h | 297 ++++++++++-------
hwpfilter/source/fontmap.cxx | 2
hwpfilter/source/fontmap.hxx | 29 +
hwpfilter/source/formula.cxx | 16
hwpfilter/source/grammar.cxx | 10
hwpfilter/source/grammar.hxx | 31 +
hwpfilter/source/hbox.cxx | 162 ++++++---
hwpfilter/source/hbox.h | 109 +++---
hwpfilter/source/hcode.cxx | 62 +--
hwpfilter/source/hgzip.cxx | 2
hwpfilter/source/hinfo.cxx | 171 +++++++---
hwpfilter/source/hinfo.h | 60 ++-
hwpfilter/source/hiodev.cxx | 117 ++++---
hwpfilter/source/hiodev.h | 32 +
hwpfilter/source/hpara.cxx | 69 ++--
hwpfilter/source/hpara.h | 2
hwpfilter/source/htags.cxx | 8
hwpfilter/source/htags.h | 6
hwpfilter/source/hutil.cxx | 1
hwpfilter/source/hwpeq.cxx | 31 -
hwpfilter/source/hwpfile.cxx | 102 +++---
hwpfilter/source/hwpfile.h | 14
hwpfilter/source/hwplib.h | 11
hwpfilter/source/hwpread.cxx | 312 ++++++++++--------
hwpfilter/source/hwpreader.cxx | 91 ++---
hwpfilter/source/hwpreader.hxx | 8
hwpfilter/source/lexer.cxx | 18 -
hwpfilter/source/lexer.hxx | 29 +
hwpfilter/source/list.hxx | 6
hwpfilter/source/mzstring.cxx | 2
hwpfilter/source/mzstring.h | 4
56 files changed, 1135 insertions(+), 2498 deletions(-)
New commits:
commit 683b30bcd6fcb2c99ad7361ed7afa52517707962
Author: Andras Timar <andras.timar at collabora.com>
Date: Fri Mar 20 13:50:34 2015 +0100
bump to openssl-1.0.1m
Change-Id: I3152e33f726aab1596adc99e512c156161dc31ca
diff --git a/download.lst b/download.lst
index 3255674..69031e8 100644
--- a/download.lst
+++ b/download.lst
@@ -98,7 +98,7 @@ export MYTHES_TARBALL := 46e92b68e31e858512b680b3b61dc4c1-mythes-1.2.3.tar.gz
export NEON_TARBALL := ff369e69ef0f0143beb5626164e87ae2-neon-0.29.5.tar.gz
export NSS_TARBALL := b279551b7638d0e36d1199548124c247-nss-3.16.5-with-nspr-4.10.6.tar.gz
export OPENLDAP_TARBALL := 804c6cb5698db30b75ad0ff1c25baefd-openldap-2.4.31.tgz
-export OPENSSL_TARBALL := 66bf6f10f060d561929de96f9dfe5b8c-openssl-1.0.1e.tar.gz
+export OPENSSL_TARBALL := d143d1555d842a069cb7cc34ba745a06-openssl-1.0.1m.tar.gz
export ORCUS_TARBALL := ea2acaf140ae40a87a952caa75184f4d-liborcus-0.5.1.tar.bz2
export PIXMAN_TARBALL := c63f411b3ad147db2bcce1bf262a0e02-pixman-0.24.4.tar.bz2
export PNG_TARBALL := 9e5d864bce8f06751bbd99962ecf4aad-libpng-1.5.10.tar.gz
diff --git a/external/openssl/CVE-2010-5298.patch b/external/openssl/CVE-2010-5298.patch
deleted file mode 100644
index 55251b3..0000000
--- a/external/openssl/CVE-2010-5298.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From: Ben Laurie <ben at links.org>
-Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100)
-Subject: Fix use after free.
-X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=94d1f4b
-
-Fix use after free.
----
-
-diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
-index b9e45c7..d601a18 100644
---- a/a/ssl/s3_pkt.c
-+++ b/b/ssl/s3_pkt.c
-@@ -1334,7 +1334,7 @@ start:
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
-- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
- ssl3_release_read_buffer(s);
- }
- }
diff --git a/external/openssl/CVE-2013-4353.patch b/external/openssl/CVE-2013-4353.patch
deleted file mode 100644
index be7cf4c..0000000
--- a/external/openssl/CVE-2013-4353.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Fix for TLS record tampering bug. A carefully crafted invalid
-handshake could crash OpenSSL with a NULL pointer exception.
-Thanks to Anton Johansson for reporting this issues.
-(CVE-2013-4353)
-diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c
-index 1e5dcab..53b9390 100644
---- a/a/ssl/s3_both.c
-+++ b/b/ssl/s3_both.c
-@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
- {
- const char *sender;
- int slen;
--
-+ /* If no new cipher setup return immediately: other functions will
-+ * set the appropriate error.
-+ */
-+ if (s->s3->tmp.new_cipher == NULL)
-+ return;
- if (s->state & SSL_ST_CONNECT)
- {
- sender=s->method->ssl3_enc->server_finished_label;
diff --git a/external/openssl/CVE-2013-6449.patch b/external/openssl/CVE-2013-6449.patch
deleted file mode 100644
index 3da0646..0000000
--- a/external/openssl/CVE-2013-6449.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-Use version in SSL_METHOD not SSL structure.
-
-When deciding whether to use TLS 1.2 PRF and record hash algorithms
-use the version number in the corresponding SSL_METHOD structure
-instead of the SSL structure. The SSL structure version is sometimes
-inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
-(CVE-2013-6449)
-
-Also preventively check EVP errors for handshake digests.
-
-diff --git a/a/ssl/s3_lib.c b/b/ssl/s3_lib.c
-index bf832bb..c4ef273 100644
---- a/a/ssl/s3_lib.c
-+++ b/b/ssl/s3_lib.c
-@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
- long ssl_get_algorithm2(SSL *s)
- {
- long alg2 = s->s3->tmp.new_cipher->algorithm2;
-- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-+ if (s->method->version == TLS1_2_VERSION &&
- alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
-diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c
-index ead01c8..1e5dcab 100644
---- a/a/ssl/s3_both.c
-+++ b/b/ssl/s3_both.c
-@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
-
- i=s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.finish_md);
-+ if (i == 0)
-+ return 0;
- s->s3->tmp.finish_md_len = i;
- memcpy(p, s->s3->tmp.finish_md, i);
- p+=i;
-diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
-index 804291e..c4bc4e7 100644
---- a/a/ssl/s3_pkt.c
-+++ b/b/ssl/s3_pkt.c
-@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
- if (version != s->version)
- {
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->version & 0xFF00) == (version & 0xFF00))
-+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
- /* Send back error using their minor version number :-) */
- s->version = (unsigned short)version;
- al=SSL_AD_PROTOCOL_VERSION;
-@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
- slen=s->method->ssl3_enc->client_finished_label_len;
- }
-
-- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
-+ i = s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.peer_finish_md);
-+ if (i == 0)
-+ {
-+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ s->s3->tmp.peer_finish_md_len = i;
-
- return(1);
- }
-diff --git a/a/ssl/s3_srvr.c b/b/ssl/s3_srvr.c
-index e5a8b3f..52efed3 100644
---- a/a/ssl/s3_srvr.c
-+++ b/b/ssl/s3_srvr.c
-@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
- (s->version != DTLS1_VERSION && s->client_version < s->version))
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
-+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
-+ !s->enc_write_ctx && !s->write_hash)
- {
- /* similar to ssl3_get_record, send alert using remote version number */
- s->version = s->client_version;
-diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c
-index 809ad2e..72015f5 100644
---- a/a/ssl/t1_enc.c
-+++ b/b/ssl/t1_enc.c
-@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
- if (mask & ssl_get_algorithm2(s))
- {
- int hashsize = EVP_MD_size(md);
-- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
-+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
-+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
- {
- /* internal error: 'buf' is too small for this cipersuite! */
- err = 1;
- }
- else
- {
-- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
-- EVP_DigestFinal_ex(&ctx,q,&i);
-- if (i != (unsigned int)hashsize) /* can't really happen */
-+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
-+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
-+ (i != (unsigned int)hashsize))
- err = 1;
-- q+=i;
-+ q+=hashsize;
- }
- }
- }
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2013-6450.patch b/external/openssl/CVE-2013-6450.patch
deleted file mode 100644
index ba45785..0000000
--- a/external/openssl/CVE-2013-6450.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-Fix DTLS retransmission from previous session.
-
-For DTLS we might need to retransmit messages from the previous session
-so keep a copy of write context in DTLS retransmission buffers instead
-of replacing it after sending CCS. CVE-2013-6450.
-
-diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
-index 65ec001..7a5596a 100644
---- a/a/ssl/d1_both.c
-+++ b/b/ssl/d1_both.c
-@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
- static void
- dtls1_hm_fragment_free(hm_fragment *frag)
- {
-+
-+ if (frag->msg_header.is_ccs)
-+ {
-+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
-+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
-+ }
- if (frag->fragment) OPENSSL_free(frag->fragment);
- if (frag->reassembly) OPENSSL_free(frag->reassembly);
- OPENSSL_free(frag);
-diff --git a/a/ssl/ssl_locl.h b/b/ssl/ssl_locl.h
-index 96ce9a7..e485907 100644
---- a/a/ssl/ssl_locl.h
-+++ b/b/ssl/ssl_locl.h
-@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
- extern SSL3_ENC_METHOD SSLv3_enc_data;
- extern SSL3_ENC_METHOD DTLSv1_enc_data;
-
-+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
-+
- #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
- s_get_meth) \
- const SSL_METHOD *func_name(void) \
-diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c
-index 72015f5..56db834 100644
---- a/a/ssl/t1_enc.c
-+++ b/b/ssl/t1_enc.c
-@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
- s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
- else
- s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
-- if (s->enc_write_ctx != NULL)
-+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
- reuse_dd = 1;
-- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
- goto err;
-- else
-- /* make sure it's intialized in case we exit later with an error */
-- EVP_CIPHER_CTX_init(s->enc_write_ctx);
- dd= s->enc_write_ctx;
-- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
-+ if (SSL_IS_DTLS(s))
-+ {
-+ mac_ctx = EVP_MD_CTX_create();
-+ if (!mac_ctx)
-+ goto err;
-+ s->write_hash = mac_ctx;
-+ }
-+ else
-+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
- #ifndef OPENSSL_NO_COMP
- if (s->compress != NULL)
- {
-diff --git a/a/crypto/evp/digest.c b/b/crypto/evp/digest.c
-index 6fc469f..d14e8e4 100644
---- a/a/crypto/evp/digest.c
-+++ b/b/crypto/evp/digest.c
-@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
-
- void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- {
-- EVP_MD_CTX_cleanup(ctx);
-- OPENSSL_free(ctx);
-+ if (ctx)
-+ {
-+ EVP_MD_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+ }
- }
-
- /* This call frees resources associated with the context */
diff --git a/external/openssl/CVE-2014-0160.patch b/external/openssl/CVE-2014-0160.patch
deleted file mode 100644
index ddf9d9c..0000000
--- a/external/openssl/CVE-2014-0160.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From: Dr. Stephen Henson <steve at openssl.org>
-Date: Sat, 5 Apr 2014 23:51:06 +0000 (+0100)
-Subject: Add heartbeat extension bounds check.
-X-Git-Tag: OpenSSL_1_0_1g~3
-X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=96db902
-
-Add heartbeat extension bounds check.
-
-A missing bounds check in the handling of the TLS heartbeat extension
-can be used to reveal up to 64k of memory to a connected client or
-server.
-
-Thanks for Neel Mehta of Google Security for discovering this bug and to
-Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for
-preparing the fix (CVE-2014-0160)
----
-
-diff --git a/a/ssl/d1_both.c b/ssl/d1_both.c
-index 7a5596a..2e8cf68 100644
---- a/a/ssl/d1_both.c
-+++ a/b/ssl/d1_both.c
-@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
-+ unsigned int write_length = 1 /* heartbeat type */ +
-+ 2 /* heartbeat length */ +
-+ payload + padding;
- int r;
-
-+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-+ return 0;
-+
- /* Allocate memory for the response, size is 1 byte
- * message type, plus 2 bytes payload length, plus
- * payload, plus padding
- */
-- buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-+ buffer = OPENSSL_malloc(write_length);
- bp = buffer;
-
- /* Enter response type, length and copy payload */
-@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
- /* Random padding */
- RAND_pseudo_bytes(bp, padding);
-
-- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
-
- if (r >= 0 && s->msg_callback)
- s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-- buffer, 3 + payload + padding,
-+ buffer, write_length,
- s, s->msg_callback_arg);
-
- OPENSSL_free(buffer);
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index b82fada..bddffd9 100644
---- a/a/ssl/t1_lib.c
-+++ a/b/ssl/t1_lib.c
-@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
diff --git a/external/openssl/CVE-2014-0195.patch b/external/openssl/CVE-2014-0195.patch
deleted file mode 100644
index d9aaa83..0000000
--- a/external/openssl/CVE-2014-0195.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 208d54db20d58c9a5e45e856a0650caadd7d9612
-Author: Dr. Stephen Henson <steve at openssl.org>
-Date: Tue May 13 18:48:31 2014 +0100
-
- Fix for CVE-2014-0195
-
- A buffer overrun attack can be triggered by sending invalid DTLS fragments
- to an OpenSSL DTLS client or server. This is potentially exploitable to
- run arbitrary code on a vulnerable client or server.
-
- Fixed by adding consistency check for DTLS fragments.
-
- Thanks to Jüri Aedla for reporting this issue.
-
-diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
-index 2e8cf68..07f67f8 100644
---- a/a/ssl/d1_both.c
-+++ b/b/ssl/d1_both.c
-@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- frag->msg_header.frag_off = 0;
- }
- else
-+ {
- frag = (hm_fragment*) item->data;
-+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
-+ {
-+ item = NULL;
-+ frag = NULL;
-+ goto err;
-+ }
-+ }
-+
-
- /* If message is already reassembled, this must be a
- * retransmit and can be dropped.
-
diff --git a/external/openssl/CVE-2014-0198.patch b/external/openssl/CVE-2014-0198.patch
deleted file mode 100644
index 0cffb79..0000000
--- a/external/openssl/CVE-2014-0198.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Matt Caswell <matt at openssl.org>
-Date: Sun, 11 May 2014 23:38:37 +0000 (+0100)
-Subject: Fixed NULL pointer dereference. See PR#3321
-X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=b107586
-
-Fixed NULL pointer dereference. See PR#3321
----
-
-diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
-index 40eb0dd..d961d12 100644
---- a/a/ssl/s3_pkt.c
-+++ b/b/ssl/s3_pkt.c
-@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- SSL3_BUFFER *wb=&(s->s3->wbuf);
- SSL_SESSION *sess;
-
-- if (wb->buf == NULL)
-- if (!ssl3_setup_write_buffer(s))
-- return -1;
-
- /* first check if there is a SSL3_BUFFER still being written
- * out. This will happen with non blocking IO */
-@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- /* if it went, fall through and send more stuff */
- }
-
-+ if (wb->buf == NULL)
-+ if (!ssl3_setup_write_buffer(s))
-+ return -1;
-+
- if (len == 0 && !create_empty_fragment)
- return 0;
-
diff --git a/external/openssl/CVE-2014-0221.patch b/external/openssl/CVE-2014-0221.patch
deleted file mode 100644
index 68186f7..0000000
--- a/external/openssl/CVE-2014-0221.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-commit d30e582446b027868cdabd0994681643682045a4
-Author: Dr. Stephen Henson <steve at openssl.org>
-Date: Fri May 16 13:00:45 2014 +0100
-
- Fix CVE-2014-0221
-
- Unnecessary recursion when receiving a DTLS hello request can be used to
- crash a DTLS client. Fixed by handling DTLS hello request without recursion.
-
- Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
-
-diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
-index 07f67f8..4c2fd03 100644
---- a/a/ssl/d1_both.c
-+++ b/b/ssl/d1_both.c
-@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
- int i,al;
- struct hm_header_st msg_hdr;
-
-+ redo:
- /* see if we have the required fragment already */
- if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
- {
-@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
- s->msg_callback_arg);
-
- s->init_num = 0;
-- return dtls1_get_message_fragment(s, st1, stn,
-- max, ok);
-+ goto redo;
- }
- else /* Incorrectly formated Hello request */
- {
-
diff --git a/external/openssl/CVE-2014-0224.patch b/external/openssl/CVE-2014-0224.patch
deleted file mode 100644
index 8a7aaa7..0000000
--- a/external/openssl/CVE-2014-0224.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
---- a/a/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200
---- b/b/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200
-@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
- #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
- #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
- #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
-+#define SSL3_FLAGS_CCS_OK 0x0080
-
- /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
- * restart a handshake because of MS SGC and so prevents us
-diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
---- a/a/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100
---- b/b/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200
-@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
- case SSL3_ST_CR_FINISHED_A:
- case SSL3_ST_CR_FINISHED_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
- SSL3_ST_CR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
- goto f_err;
- }
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->hit=1;
- }
- else /* a miss or crap from the other end */
-diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
---- a/a/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200
---- b/b/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200
-@@ -1298,6 +1298,15 @@ start:
- goto f_err;
- }
-
-+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
-+ {
-+ al=SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
-+ goto f_err;
-+ }
-+
-+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-+
- rr->length=0;
-
- if (s->msg_callback)
-@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
-
- if (s->s3->tmp.key_block == NULL)
- {
-- if (s->session == NULL)
-+ if (s->session == NULL || s->session->master_key_length == 0)
- {
- /* might happen if dtls1_read_bytes() calls this */
- SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
-diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
---- a/a/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200
---- b/b/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200
-@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
- case SSL3_ST_SR_CERT_VRFY_A:
- case SSL3_ST_SR_CERT_VRFY_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- /* we should decide if we expected this one */
- ret=ssl3_get_cert_verify(s);
- if (ret <= 0) goto end;
-@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
-
- case SSL3_ST_SR_FINISHED_A:
- case SSL3_ST_SR_FINISHED_B:
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
- SSL3_ST_SR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #else
- if (s->s3->next_proto_neg_seen)
-+ {
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
-+ }
- else
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #endif
diff --git a/external/openssl/CVE-2014-3470.patch b/external/openssl/CVE-2014-3470.patch
deleted file mode 100644
index da123ee..0000000
--- a/external/openssl/CVE-2014-3470.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86
-Author: Dr. Stephen Henson <steve at openssl.org>
-Date: Thu May 29 15:00:05 2014 +0100
-
- Fix CVE-2014-3470
-
- Check session_cert is not NULL before dereferencing it.
-
-diff --git a/a/ssl/s3_clnt.c b/b/ssl/s3_clnt.c
-index d35376d..4324f8d 100644
---- a/a/ssl/s3_clnt.c
-+++ b/b/ssl/s3_clnt.c
-@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s)
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
diff --git a/external/openssl/CVE-2014-3505.patch b/external/openssl/CVE-2014-3505.patch
deleted file mode 100644
index 69284d5..0000000
--- a/external/openssl/CVE-2014-3505.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl at imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:19:21 -0700
-Subject: [PATCH] Avoid double free when processing DTLS packets.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The |item| variable, in both of these cases, may contain a pointer to a
-|pitem| structure within |s->d1->buffered_messages|. It was being freed
-in the error case while still being in |buffered_messages|. When the
-error later caused the |SSL*| to be destroyed, the item would be double
-freed.
-
-Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
-inconsistent with the other error paths (but correct).
-
-Fixes CVE-2014-3505
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index c1eb970..cdb83b6 100644
---- a/a/ssl/d1_both.c
-+++ b/b/ssl/d1_both.c
-@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if (frag != NULL) dtls1_hm_fragment_free(frag);
-- if (item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
-@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if ( frag != NULL) dtls1_hm_fragment_free(frag);
-- if ( item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3506.patch b/external/openssl/CVE-2014-3506.patch
deleted file mode 100644
index 45b87dc..0000000
--- a/external/openssl/CVE-2014-3506.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Fri, 6 Jun 2014 14:25:52 -0700
-Subject: [PATCH] Fix DTLS handshake message size checks.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In |dtls1_reassemble_fragment|, the value of
-|msg_hdr->frag_off+frag_len| was being checked against the maximum
-handshake message size, but then |msg_len| bytes were allocated for the
-fragment buffer. This means that so long as the fragment was within the
-allowed size, the pending handshake message could consume 16MB + 2MB
-(for the reassembly bitmap). Approx 10 outstanding handshake messages
-are allowed, meaning that an attacker could consume ~180MB per DTLS
-connection.
-
-In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
-check was applied.
-
-Fixes CVE-2014-3506
-
-Wholly based on patch by Adam Langley with one minor amendment.
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 29 ++++++++++++++++-------------
- 1 file changed, 16 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 6559dfc..b9e15df 100644
---- a/a/ssl/d1_both.c
-+++ b/b/ssl/d1_both.c
-@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
- return 0;
- }
-
-+/* dtls1_max_handshake_message_len returns the maximum number of bytes
-+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
-+ * be greater if the maximum certificate list size requires it. */
-+static unsigned long dtls1_max_handshake_message_len(const SSL *s)
-+ {
-+ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ if (max_len < (unsigned long)s->max_cert_list)
-+ return s->max_cert_list;
-+ return max_len;
-+ }
-
- static int
- dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- pitem *item = NULL;
- int i = -1, is_complete;
- unsigned char seq64be[8];
-- unsigned long frag_len = msg_hdr->frag_len, max_len;
--
-- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
-- goto err;
--
-- /* Determine maximum allowed message size. Depends on (user set)
-- * maximum certificate length, but 16k is minimum.
-- */
-- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
-- max_len = s->max_cert_list;
-- else
-- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ unsigned long frag_len = msg_hdr->frag_len;
-
-- if ((msg_hdr->frag_off+frag_len) > max_len)
-+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
-+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
- /* Try to find item in queue */
-@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- if (frag_len && frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
-+ if (frag_len > dtls1_max_handshake_message_len(s))
-+ goto err;
-+
- frag = dtls1_hm_fragment_new(frag_len, 0);
- if ( frag == NULL)
- goto err;
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3507.patch b/external/openssl/CVE-2014-3507.patch
deleted file mode 100644
index 4ea0b69..0000000
--- a/external/openssl/CVE-2014-3507.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c
---- a/a/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200
-+++ b/b/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200
-@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct
- msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
-+ if (frag_len == 0)
-+ return DTLS1_HM_FRAGMENT_RETRY;
-+
- /* Try to find item in queue */
- memset(seq64be,0,sizeof(seq64be));
- seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
-@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct
- i = -1;
- }
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it and control
-+ * would never have reached this branch. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
-@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s,
- }
- else
- {
-- if (frag_len && frag_len < msg_hdr->msg_len)
-+ if (frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
- if (frag_len > dtls1_max_handshake_message_len(s))
-@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s,
- if ( item == NULL)
- goto err;
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it. Then, either
-+ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
-+ * to NULL and it will have been processed with
-+ * |dtls1_reassemble_fragment|, above, or the record will have
-+ * been discarded. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
diff --git a/external/openssl/CVE-2014-3508.patch b/external/openssl/CVE-2014-3508.patch
deleted file mode 100644
index 513608d..0000000
--- a/external/openssl/CVE-2014-3508.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Wed, 2 Jul 2014 19:02:33 +0200
-Subject: [PATCH] Fix OID handling:
-
-- Upon parsing, reject OIDs with invalid base-128 encoding.
-- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
-
-CVE-2014-3508
-
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-Reviewed-by: Kurt Roeckx <kurt at openssl.org>
-Reviewed-by: Tim Hudson <tjh at openssl.org>
----
- crypto/asn1/a_object.c | 30 +++++++++++++++++++++---------
- crypto/objects/obj_dat.c | 16 +++++++++-------
- 2 files changed, 30 insertions(+), 16 deletions(-)
-
-diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
-index 3978c91..77b2768 100644
---- a/a/crypto/asn1/a_object.c
-+++ b/b/crypto/asn1/a_object.c
-@@ -283,17 +283,29 @@ err:
- ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
- return(NULL);
- }
-+
- ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- long len)
- {
- ASN1_OBJECT *ret=NULL;
- const unsigned char *p;
- unsigned char *data;
-- int i;
-- /* Sanity check OID encoding: can't have leading 0x80 in
-- * subidentifiers, see: X.690 8.19.2
-+ int i, length;
-+
-+ /* Sanity check OID encoding.
-+ * Need at least one content octet.
-+ * MSB must be clear in the last octet.
-+ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
- */
-- for (i = 0, p = *pp; i < len; i++, p++)
-+ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
-+ p[len - 1] & 0x80)
-+ {
-+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
-+ return NULL;
-+ }
-+ /* Now 0 < len <= INT_MAX, so the cast is safe. */
-+ length = (int)len;
-+ for (i = 0; i < length; i++, p++)
- {
- if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
- {
-@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- data = (unsigned char *)ret->data;
- ret->data = NULL;
- /* once detached we can change it */
-- if ((data == NULL) || (ret->length < len))
-+ if ((data == NULL) || (ret->length < length))
- {
- ret->length=0;
- if (data != NULL) OPENSSL_free(data);
-- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
-+ data=(unsigned char *)OPENSSL_malloc(length);
- if (data == NULL)
- { i=ERR_R_MALLOC_FAILURE; goto err; }
- ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
- }
-- memcpy(data,p,(int)len);
-+ memcpy(data,p,length);
- /* reattach data to object, after which it remains const */
- ret->data =data;
-- ret->length=(int)len;
-+ ret->length=length;
- ret->sn=NULL;
- ret->ln=NULL;
- /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-- p+=len;
-+ p+=length;
-
- if (a != NULL) (*a)=ret;
- *pp=p;
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
-index 8a342ba..0b2f442 100644
---- a/a/crypto/objects/obj_dat.c
-+++ b/b/crypto/objects/obj_dat.c
-@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- const unsigned char *p;
- char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
-
-- if ((a == NULL) || (a->data == NULL)) {
-- buf[0]='\0';
-- return(0);
-- }
-+ /* Ensure that, at every state, |buf| is NUL-terminated. */
-+ if (buf && buf_len > 0)
-+ buf[0] = '\0';
-
-+ if ((a == NULL) || (a->data == NULL))
-+ return(0);
-
- if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
- {
-@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i=(int)(l/40);
- l-=(long)(i*40);
- }
-- if (buf && (buf_len > 0))
-+ if (buf && (buf_len > 1))
- {
- *buf++ = i + '0';
-+ *buf = '\0';
- buf_len--;
- }
- n++;
-@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i = strlen(bndec);
- if (buf)
- {
-- if (buf_len > 0)
-+ if (buf_len > 1)
- {
- *buf++ = '.';
-+ *buf = '\0';
- buf_len--;
- }
- BUF_strlcpy(buf,bndec,buf_len);
-@@ -807,4 +810,3 @@ err:
- OPENSSL_free(buf);
- return(ok);
- }
--
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3509.patch b/external/openssl/CVE-2014-3509.patch
deleted file mode 100644
index 45c9462..0000000
--- a/external/openssl/CVE-2014-3509.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001
-From: Gabor Tyukasz <Gabor.Tyukasz at logmein.com>
-Date: Wed, 23 Jul 2014 23:42:06 +0200
-Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext
-
-CVE-2014-3509
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
----
- ssl/t1_lib.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 8167a51..022a4fb 100644
---- a/a/ssl/t1_lib.c
-+++ b/b/ssl/t1_lib.c
-@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-- s->session->tlsext_ecpointformatlist_length = 0;
-- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ if (!s->hit)
- {
-- *al = TLS1_AD_INTERNAL_ERROR;
-- return 0;
-+ s->session->tlsext_ecpointformatlist_length = 0;
-+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ {
-+ *al = TLS1_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- }
-- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- #if 0
- fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
- sdata = s->session->tlsext_ecpointformatlist;
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3510.patch b/external/openssl/CVE-2014-3510.patch
deleted file mode 100644
index 5cdc5d7..0000000
--- a/external/openssl/CVE-2014-3510.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia at openssl.org>
-Date: Thu, 24 Jul 2014 22:15:29 +0200
-Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service
-
-CVE-2014-3510
-
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
----
- ssl/d1_clnt.c | 23 +++++++++++++++++++++--
- ssl/s3_clnt.c | 7 +++++++
- 2 files changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index 65dbb4a..fd6562c 100644
---- a/a/ssl/d1_clnt.c
-+++ b/b/ssl/d1_clnt.c
-@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
-@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- {
- DH *dh_srvr,*dh_clnt;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_dh_tmp != NULL)
- dh_srvr=s->session->sess_cert->peer_dh_tmp;
- else
-@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
-@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s)
- /* SSL3_ST_CW_CERT_D */
- return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
- }
--
--
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 2afb892..df05f78 100644
---- a/a/ssl/s3_clnt.c
-+++ b/b/ssl/s3_clnt.c
-@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3511.patch b/external/openssl/CVE-2014-3511.patch
deleted file mode 100644
index 4b5b9c6..0000000
--- a/external/openssl/CVE-2014-3511.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001
-From: David Benjamin <davidben at google.com>
-Date: Wed, 23 Jul 2014 22:32:21 +0200
-Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2014-3511
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-Reviewed-by: Bodo Möller <bodo at openssl.org>
----
- ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
- 1 file changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
-index 4877849..2901a6b 100644
---- a/a/ssl/s23_srvr.c
-+++ b/b/ssl/s23_srvr.c
-@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
- * Client Hello message, this would be difficult, and we'd have
- * to read more records to find out.
- * No known SSL 3.0 client fragments ClientHello like this,
-- * so we simply assume TLS 1.0 to avoid protocol version downgrade
-- * attacks. */
-+ * so we simply reject such connections to avoid
-+ * protocol version downgrade attacks. */
- if (p[3] == 0 && p[4] < 6)
- {
--#if 0
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
- goto err;
--#else
-- v[1] = TLS1_VERSION_MINOR;
--#endif
- }
- /* if major version number > 3 set minor to a value
- * which will use the highest version 3 we support.
- * If TLS 2.0 ever appears we will need to revise
- * this....
- */
-- else if (p[9] > SSL3_VERSION_MAJOR)
-+ if (p[9] > SSL3_VERSION_MAJOR)
- v[1]=0xff;
- else
- v[1]=p[10]; /* minor version according to client_version */
-@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s)
- v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
- v[1] = p[4];
-
-+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
-+ * header is sent directly on the wire, not wrapped as a TLS
-+ * record. It's format is:
-+ * Byte Content
-+ * 0-1 msg_length
-+ * 2 msg_type
-+ * 3-4 version
-+ * 5-6 cipher_spec_length
-+ * 7-8 session_id_length
-+ * 9-10 challenge_length
-+ * ... ...
-+ */
- n=((p[0]&0x7f)<<8)|p[1];
- if (n > (1024*4))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
- }
-+ if (n < 9)
-+ {
-+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
-+ goto err;
-+ }
-
- j=ssl23_read_bytes(s,n+2);
-+ /* We previously read 11 bytes, so if j > 0, we must have
-+ * j == n+2 == s->packet_length. We have at least 11 valid
-+ * packet bytes. */
- if (j <= 0) return(j);
-
- ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
---
-1.8.3.1
-
diff --git a/external/openssl/CVE-2014-3513.patch b/external/openssl/CVE-2014-3513.patch
deleted file mode 100644
index 96d4584..0000000
--- a/external/openssl/CVE-2014-3513.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
---- a/a/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100
-+++ b/b/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200
-@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
- return 1;
- }
-
--static int find_profile_by_num(unsigned profile_num,
-- SRTP_PROTECTION_PROFILE **pptr)
-- {
-- SRTP_PROTECTION_PROFILE *p;
--
-- p=srtp_known_profiles;
-- while(p->name)
-- {
-- if(p->id == profile_num)
-- {
-- *pptr=p;
-- return 0;
-- }
-- p++;
-- }
--
-- return 1;
-- }
--
- static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
- {
- STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
-@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
- if(!find_profile_by_name(ptr,&p,
- col ? col-ptr : (int)strlen(ptr)))
- {
-+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
-+ {
-+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
-+ return 1;
-+ }
-+
- sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
- }
- else
- {
- SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
- return 1;
- }
-
-@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
-
- int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
- {
-- SRTP_PROTECTION_PROFILE *cprof,*sprof;
-- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
-+ SRTP_PROTECTION_PROFILE *sprof;
-+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
- int ct;
- int mki_len;
-- int i,j;
-- int id;
-- int ret;
-+ int i, srtp_pref;
-+ unsigned int id;
-
- /* Length value + the MKI length */
- if(len < 3)
-@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
- return 1;
- }
-
-+ srvr=SSL_get_srtp_profiles(s);
-+ s->srtp_profile = NULL;
-+ /* Search all profiles for a match initially */
-+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
-
-- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
--
- while(ct)
- {
- n2s(d,id);
- ct-=2;
- len-=2;
-
-- if(!find_profile_by_num(id,&cprof))
-+ /*
-+ * Only look for match in profiles of higher preference than
-+ * current match.
-+ * If no profiles have been have been configured then this
-+ * does nothing.
-+ */
-+ for (i = 0; i < srtp_pref; i++)
- {
-- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
-- }
-- else
-- {
-- ; /* Ignore */
-+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
-+ if (sprof->id == id)
-+ {
-+ s->srtp_profile = sprof;
-+ srtp_pref = i;
-+ break;
-+ }
- }
- }
-
-@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
- return 1;
- }
-
-- srvr=SSL_get_srtp_profiles(s);
--
-- /* Pick our most preferred profile. If no profiles have been
-- configured then the outer loop doesn't run
-- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
-- and so we just return without doing anything */
-- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
-- {
-- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
--
-- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
-- {
-- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
--
-- if(cprof->id==sprof->id)
-- {
-- s->srtp_profile=sprof;
-- *al=0;
-- ret=0;
-- goto done;
-- }
-- }
-- }
--
-- ret=0;
--
--done:
-- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
--
-- return ret;
-+ return 0;
- }
-
- int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
-diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
---- a/a/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200
-+++ b/b/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200
-@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(SSL_get_srtp_profiles(s))
-+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
- {
- int el;
-
-@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(s->srtp_profile)
-+ if(SSL_IS_DTLS(s) && s->srtp_profile)
- {
- int el;
-
-@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
-
- /* session ticket processed earlier */
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
-+ && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
- al))
-@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
- }
- #endif
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
- al))
diff --git a/external/openssl/CVE-2014-3566.patch b/external/openssl/CVE-2014-3566.patch
deleted file mode 100644
index c9b37a7..0000000
--- a/external/openssl/CVE-2014-3566.patch
+++ /dev/null
@@ -1,466 +0,0 @@
-diff -up openssl-1.0.1e/apps/s_client.c.fallback-scsv openssl-1.0.1e/apps/s_client.c
---- a/a/apps/s_client.c.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
-+++ b/b/apps/s_client.c 2014-10-15 17:07:36.392502320 +0200
-@@ -336,6 +336,7 @@ static void sc_usage(void)
- BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
- BIO_printf(bio_err," -tls1 - just use TLSv1\n");
- BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
-+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
- BIO_printf(bio_err," -mtu - set the link layer MTU\n");
- BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
- BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
-@@ -616,6 +617,7 @@ int MAIN(int argc, char **argv)
- char *sess_out = NULL;
- struct sockaddr peer;
- int peerlen = sizeof(peer);
-+ int fallback_scsv = 0;
- int enable_timeouts = 0 ;
- long socket_mtu = 0;
- #ifndef OPENSSL_NO_JPAKE
-@@ -829,6 +831,10 @@ int MAIN(int argc, char **argv)
- socket_mtu = atol(*(++argv));
- }
- #endif
-+ else if (strcmp(*argv,"-fallback_scsv") == 0)
-+ {
-+ fallback_scsv = 1;
-+ }
- else if (strcmp(*argv,"-bugs") == 0)
- bugs=1;
- else if (strcmp(*argv,"-keyform") == 0)
-@@ -1240,6 +1246,10 @@ bad:
- SSL_set_session(con, sess);
- SSL_SESSION_free(sess);
- }
-+
-+ if (fallback_scsv)
-+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
-+
- #ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL)
- {
-diff -up openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv openssl-1.0.1e/doc/apps/s_client.pod
---- a/a/doc/apps/s_client.pod.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
-+++ b/b/doc/apps/s_client.pod 2014-10-15 17:08:17.354427053 +0200
-@@ -34,6 +34,7 @@
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-fallback_scsv>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-starttls protocol>]
-@@ -187,6 +188,10 @@
- work if TLS is turned off with the B<-no_tls> option others will only
- support SSL v2 and may need the B<-ssl2> option.
-
-+=item B<-fallback_scsv>
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-+
- =item B<-bugs>
-
- there are several known bug in SSL and TLS implementations. Adding this
-diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod
---- a/a/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ b/b/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:09:57.577689637 +0200
-@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which default
- save around 34k per idle SSL connection.
- This flag has no effect on SSL v2 connections, or on DTLS connections.
-
-+=item SSL_MODE_SEND_FALLBACK_SCSV
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-+To be set by applications that reconnect with a downgraded protocol
-+version; see draft-ietf-tls-downgrade-scsv-00 for details.
-+
- =back
-
- =head1 RETURN VALUES
-diff -up openssl-1.0.1e/ssl/dtls1.h.fallback-scsv openssl-1.0.1e/ssl/dtls1.h
---- a/a/ssl/dtls1.h.fallback-scsv 2014-10-15 14:39:30.862907615 +0200
-+++ b/b/ssl/dtls1.h 2014-10-15 14:39:30.973910121 +0200
-@@ -84,6 +84,8 @@ extern "C" {
- #endif
-
- #define DTLS1_VERSION 0xFEFF
-+#define DTLS_MAX_VERSION DTLS1_VERSION
-+
- #define DTLS1_BAD_VER 0x0100
-
- #if 0
-@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
- }
- #endif
- #endif
--
-diff -up openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv openssl-1.0.1e/ssl/d1_lib.c
---- a/a/ssl/d1_lib.c.fallback-scsv 2014-10-15 14:39:30.911908721 +0200
-+++ b/b/ssl/d1_lib.c 2014-10-15 14:39:30.973910121 +0200
-@@ -263,6 +263,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la
- case DTLS_CTRL_LISTEN:
- ret = dtls1_listen(s, parg);
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+#if DTLS_MAX_VERSION != DTLS1_VERSION
-+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
-+#endif
-+ /* Just one protocol version is supported so far;
-+ * fail closed if the version is not as expected. */
-+ return s->version == DTLS_MAX_VERSION;
-
- default:
- ret = ssl3_ctrl(s, cmd, larg, parg);
-diff -up openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv openssl-1.0.1e/ssl/ssl_err.c
---- a/a/ssl/ssl_err.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ b/b/ssl/ssl_err.c 2014-10-15 14:39:30.973910121 +0200
-@@ -382,6 +382,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
- {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
- {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
-+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
- {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
- {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
- {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
-@@ -528,6 +529,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
-+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
-diff -up openssl-1.0.1e/ssl/ssl.h.fallback-scsv openssl-1.0.1e/ssl/ssl.h
---- a/a/ssl/ssl.h.fallback-scsv 2014-10-15 14:39:30.940909375 +0200
-+++ b/b/ssl/ssl.h 2014-10-15 14:41:46.174962343 +0200
-@@ -641,6 +641,10 @@
- * TLS only.) "Released" buffers are put onto a free-list in the context
- * or just freed (depending on the context's setting for freelist_max_len). */
- #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-+/* Send TLS_FALLBACK_SCSV in the ClientHello.
-+ * To be set by applications that reconnect with a downgraded protocol
-+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
-+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
-
- /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
-@@ -1499,6 +1503,7 @@
- #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
- #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
- #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
-
- #define SSL_ERROR_NONE 0
- #define SSL_ERROR_SSL 1
-@@ -1609,6 +1614,8 @@
- #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
- #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
-
-+#define SSL_CTRL_CHECK_PROTO_VERSION 119
-+
- #define DTLSv1_get_timeout(ssl, arg) \
- SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
- #define DTLSv1_handle_timeout(ssl) \
-@@ -2362,6 +2369,7 @@
- #define SSL_R_HTTPS_PROXY_REQUEST 155
- #define SSL_R_HTTP_REQUEST 156
- #define SSL_R_ILLEGAL_PADDING 283
-+#define SSL_R_INAPPROPRIATE_FALLBACK 373
- #define SSL_R_INCONSISTENT_COMPRESSION 340
- #define SSL_R_INVALID_CHALLENGE_LENGTH 158
- #define SSL_R_INVALID_COMMAND 280
-@@ -2508,6 +2516,7 @@
- #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
- #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
- #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
-+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
- #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
- #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
- #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
-diff -up openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv openssl-1.0.1e/ssl/ssl_lib.c
---- a/a/ssl/ssl_lib.c.fallback-scsv 2014-10-15 14:39:30.912908743 +0200
-+++ b/b/ssl/ssl_lib.c 2014-10-15 14:39:30.975910166 +0200
-@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
-
- if (sk == NULL) return(0);
- q=p;
-+ if (put_cb == NULL)
-+ put_cb = s->method->put_cipher_by_char;
-
- for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
- {
-@@ -1402,24 +1404,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
- s->psk_client_callback == NULL)
- continue;
- #endif /* OPENSSL_NO_PSK */
-- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
-+ j = put_cb(c,p);
- p+=j;
- }
-- /* If p == q, no ciphers and caller indicates an error. Otherwise
-- * add SCSV if not renegotiating.
-- */
-- if (p != q && !s->renegotiate)
-+ /* If p == q, no ciphers; caller indicates an error.
-+ * Otherwise, add applicable SCSVs. */
-+ if (p != q)
- {
-- static SSL_CIPHER scsv =
-+ if (!s->renegotiate)
- {
-- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-- };
-- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
-- p+=j;
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
- #ifdef OPENSSL_RI_DEBUG
-- fprintf(stderr, "SCSV sent by client\n");
-+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
- #endif
-- }
-+ }
-+
-+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
-+ {
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
-+ }
-+ }
-
- return(p-q);
- }
-@@ -1430,11 +1444,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
- const SSL_CIPHER *c;
- STACK_OF(SSL_CIPHER) *sk;
- int i,n;
-+
- if (s->s3)
- s->s3->send_connection_binding = 0;
-
- n=ssl_put_cipher_by_char(s,NULL,NULL);
-- if ((num%n) != 0)
-+ if (n == 0 || (num%n) != 0)
- {
- SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
- return(NULL);
-@@ -1449,7 +1464,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
-
- for (i=0; i<num; i+=n)
- {
-- /* Check for SCSV */
-+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
- if (s->s3 && (n != 3 || !p[0]) &&
- (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
- (p[n-1] == (SSL3_CK_SCSV & 0xff)))
-@@ -1469,6 +1484,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
- continue;
- }
-
-+ /* Check for TLS_FALLBACK_SCSV */
-+ if ((n != 3 || !p[0]) &&
-+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
-+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
-+ {
-+ /* The SCSV indicates that the client previously tried a higher version.
-+ * Fail if the current version is an unexpected downgrade. */
-+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
-+ {
-+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
-+ if (s->s3)
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
-+ goto err;
-+ }
-+ continue;
-+ }
-+
- c=ssl_get_cipher_by_char(s,p);
- p+=n;
- if (c != NULL)
-diff -up openssl-1.0.1e/ssl/ssl3.h.fallback-scsv openssl-1.0.1e/ssl/ssl3.h
---- a/a/ssl/ssl3.h.fallback-scsv 2014-10-15 14:39:30.949909579 +0200
-+++ b/b/ssl/ssl3.h 2014-10-15 14:39:30.975910166 +0200
-@@ -128,9 +128,14 @@
- extern "C" {
- #endif
-
--/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
-+/* Signalling cipher suite value from RFC 5746
-+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
- #define SSL3_CK_SCSV 0x030000FF
-
-+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
-+ * (TLS_FALLBACK_SCSV) */
-+#define SSL3_CK_FALLBACK_SCSV 0x03005600
-+
- #define SSL3_CK_RSA_NULL_MD5 0x03000001
- #define SSL3_CK_RSA_NULL_SHA 0x03000002
- #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
-diff -up openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv openssl-1.0.1e/ssl/s2_lib.c
---- a/a/ssl/s2_lib.c.fallback-scsv 2014-10-15 14:39:30.901908495 +0200
-+++ b/b/ssl/s2_lib.c 2014-10-15 14:39:30.975910166 +0200
-@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar
- case SSL_CTRL_GET_SESSION_REUSED:
- ret=s->hit;
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
- default:
- break;
- }
-@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI
- if (p != NULL)
- {
- l=c->id;
-- if ((l & 0xff000000) != 0x02000000) return(0);
-+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
- p[0]=((unsigned char)(l>>16L))&0xFF;
- p[1]=((unsigned char)(l>> 8L))&0xFF;
- p[2]=((unsigned char)(l ))&0xFF;
-diff -up openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv openssl-1.0.1e/ssl/s23_clnt.c
---- a/a/ssl/s23_clnt.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ b/b/ssl/s23_clnt.c 2014-10-15 14:39:30.975910166 +0200
-@@ -715,6 +715,9 @@ static int ssl23_get_server_hello(SSL *s
- goto err;
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
- {
- /* fatal alert */
-diff -up openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv openssl-1.0.1e/ssl/s23_srvr.c
---- a/a/ssl/s23_srvr.c.fallback-scsv 2014-10-15 14:39:30.966909962 +0200
-+++ b/b/ssl/s23_srvr.c 2014-10-15 14:39:30.976910188 +0200
-@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s)
- }
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && (s->version < TLS1_VERSION))
- {
-diff -up openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv openssl-1.0.1e/ssl/s3_enc.c
---- a/a/ssl/s3_enc.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
-+++ b/b/ssl/s3_enc.c 2014-10-15 14:39:30.976910188 +0200
-@@ -892,7 +892,7 @@ int ssl3_alert_code(int code)
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- default: return(-1);
- }
- }
--
-diff -up openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv openssl-1.0.1e/ssl/s3_lib.c
---- a/a/ssl/s3_lib.c.fallback-scsv 2014-10-15 14:39:30.941909398 +0200
-+++ b/b/ssl/s3_lib.c 2014-10-15 14:39:30.976910188 +0200
-@@ -3350,6 +3350,33 @@
- #endif
-
- #endif /* !OPENSSL_NO_TLSEXT */
-+
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+ if (s->version == s->ctx->method->version)
-+ return 1;
-+ /* Apparently we're using a version-flexible SSL_METHOD
-+ * (not at its highest protocol version). */
-+ if (s->ctx->method->version == SSLv23_method()->version)
-+ {
-+#if TLS_MAX_VERSION != TLS1_2_VERSION
-+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
-+#endif
-+ if (!(s->options & SSL_OP_NO_TLSv1_2))
-+ return s->version == TLS1_2_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1_1))
-+ return s->version == TLS1_1_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1))
-+ return s->version == TLS1_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv3))
-+ return s->version == SSL3_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv2))
-+ return s->version == SSL2_VERSION;
-+ }
-+ return 0; /* Unexpected state; fail closed. */
-+
- default:
- break;
- }
-@@ -3709,6 +3736,7 @@
- break;
- #endif
- #endif
-+
- default:
- return(0);
- }
-@@ -4279,4 +4307,3 @@
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
- }
--
-diff -up openssl-1.0.1e/ssl/tls1.h.fallback-scsv openssl-1.0.1e/ssl/tls1.h
---- a/a/ssl/tls1.h.fallback-scsv 2014-10-15 14:39:30.775905650 +0200
-+++ b/b/ssl/tls1.h 2014-10-15 14:39:30.976910188 +0200
-@@ -159,17 +159,19 @@ extern "C" {
-
- #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
-
-+#define TLS1_VERSION 0x0301
-+#define TLS1_1_VERSION 0x0302
- #define TLS1_2_VERSION 0x0303
--#define TLS1_2_VERSION_MAJOR 0x03
--#define TLS1_2_VERSION_MINOR 0x03
-+#define TLS_MAX_VERSION TLS1_2_VERSION
-+
-+#define TLS1_VERSION_MAJOR 0x03
-+#define TLS1_VERSION_MINOR 0x01
-
--#define TLS1_1_VERSION 0x0302
- #define TLS1_1_VERSION_MAJOR 0x03
- #define TLS1_1_VERSION_MINOR 0x02
-
--#define TLS1_VERSION 0x0301
--#define TLS1_VERSION_MAJOR 0x03
--#define TLS1_VERSION_MINOR 0x01
-+#define TLS1_2_VERSION_MAJOR 0x03
-+#define TLS1_2_VERSION_MINOR 0x03
-
- #define TLS1_get_version(s) \
- ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
-@@ -187,6 +189,7 @@ extern "C" {
- #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
- #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
- #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
-+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
- #define TLS1_AD_USER_CANCELLED 90
- #define TLS1_AD_NO_RENEGOTIATION 100
- /* codes 110-114 are from RFC3546 */
-diff -up openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv openssl-1.0.1e/ssl/t1_enc.c
---- a/a/ssl/t1_enc.c.fallback-scsv 2014-10-15 14:39:30.936909285 +0200
-+++ b/b/ssl/t1_enc.c 2014-10-15 14:39:30.977910211 +0200
-@@ -1265,6 +1265,7 @@ int tls1_alert_code(int code)
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- #if 0 /* not appropriate for TLS, not used for DTLS */
- case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
- (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
diff --git a/external/openssl/CVE-2014-3567.patch b/external/openssl/CVE-2014-3567.patch
deleted file mode 100644
index db158f3..0000000
--- a/external/openssl/CVE-2014-3567.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c
---- a/a/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200
-+++ b/b/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200
-@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co
- HMAC_Final(&hctx, tick_hmac, NULL);
- HMAC_CTX_cleanup(&hctx);
- if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
-+ {
-+ EVP_CIPHER_CTX_cleanup(&ctx);
- return 2;
-+ }
- /* Attempt to decrypt session data */
- /* Move p after IV to start of encrypted ticket, update length */
- p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index cbb7745..cec09d2 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -91,26 +91,6 @@ $(eval $(call gb_UnpackedTarball_fix_end_of_line,openssl,\
))
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
- external/openssl/CVE-2013-6449.patch \
- external/openssl/CVE-2013-6450.patch \
- external/openssl/CVE-2013-4353.patch \
- external/openssl/CVE-2014-0160.patch \
- external/openssl/CVE-2010-5298.patch \
- external/openssl/CVE-2014-0195.patch \
- external/openssl/CVE-2014-0198.patch \
- external/openssl/CVE-2014-0221.patch \
- external/openssl/CVE-2014-0224.patch \
- external/openssl/CVE-2014-3470.patch \
- external/openssl/CVE-2014-3505.patch \
- external/openssl/CVE-2014-3506.patch \
- external/openssl/CVE-2014-3507.patch \
- external/openssl/CVE-2014-3508.patch \
- external/openssl/CVE-2014-3509.patch \
- external/openssl/CVE-2014-3510.patch \
- external/openssl/CVE-2014-3511.patch \
- external/openssl/CVE-2014-3513.patch \
- external/openssl/CVE-2014-3567.patch \
- external/openssl/CVE-2014-3566.patch \
$(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
$(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
$(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \
commit 4e6ab0aea8473ba36c692c6fb1e15fce7e37b5ef
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Feb 25 10:50:59 2015 +0000
check if reads were successful
Reviewed-on: https://gerrit.libreoffice.org/14631
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit f974db5d89eacf0c23e303c22c62972014e9db16)
Conflicts:
hwpfilter/source/hiodev.cxx
hwpfilter/source/hiodev.h
hwpfilter/source/hwpfile.cxx
Reviewed-on: https://gerrit.libreoffice.org/14654
Tested-by: Michael Stahl <mstahl at redhat.com>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit f2d49715c176c80c4b0fa3a7799d610eb5afec88)
(cherry picked from commit 49c4b067f5c209b40d06804c2399fb1706b92282)
Conflicts:
hwpfilter/source/drawdef.h
hwpfilter/source/hiodev.h
Change-Id: I69ab0ca9c017c9a1c10d18fd850f32a92c641d12
diff --git a/hwpfilter/source/drawdef.h b/hwpfilter/source/drawdef.h
index c5861e7..7f310db 100644
--- a/hwpfilter/source/drawdef.h
+++ b/hwpfilter/source/drawdef.h
@@ -77,11 +77,11 @@ struct BAREHWPDOProperty
int line_pstyle;
int line_hstyle;
int line_tstyle;
- DWORD line_color;
+ unsigned int line_color;
hunit line_width;
- DWORD fill_color;
+ unsigned int fill_color;
uint pattern_type;
- DWORD pattern_color;
+ unsigned int pattern_color;
hunit hmargin;
hunit vmargin;
uint flag;
@@ -127,14 +127,14 @@ struct RotationProperty
*/
struct HWPDOProperty
{
- int line_pstyle; /* ¼± Áß°£ ¸ð¾ç */
- int line_hstyle; /* ³¡ È»ìÇ¥ ¸ð¾ç */
- int line_tstyle; /* ½ÃÀÛ ¸ð¾ç */
- DWORD line_color;
+ int line_pstyle; /* 선 중간 모양 */
+ int line_hstyle; /* 끝 화살표 모양 */
+ int line_tstyle; /* 시작 모양 */
+ unsigned int line_color;
hunit line_width;
- DWORD fill_color;
+ unsigned int fill_color;
uint pattern_type;
- DWORD pattern_color;
+ unsigned int pattern_color;
hunit hmargin;
hunit vmargin;
uint flag;
diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index de8afcf..46f3bc3 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -124,7 +124,6 @@ inline bool HAS_PAT(HWPDrawingObject * hdo)
HAVE_GRADATION(hdo) || HAVE_BITMAP_PATTERN(hdo);
}
-
static void SetHdoParallRgn(HWPDrawingObject * hdo, int width, int height)
{
hdo->property.parall.pt[0].x = 0;
@@ -135,37 +134,37 @@ static void SetHdoParallRgn(HWPDrawingObject * hdo, int width, int height)
hdo->property.parall.pt[2].y = height;
}
-
static bool SkipPrivateBlock(int type)
{
int n;
if (type == OBJRET_FILE_NO_PRIVATE_BLOCK)
{
- n = hmem->read4b();
+ if (!hmem->read4b(n))
+ return false;
if (hmem->state() || hmem->skipBlock(n) != n)
return false;
}
- n = hmem->read4b();
+ if (!hmem->read4b(n))
+ return false;
if (hmem->state())
return false;
return hmem->skipBlock(n) == n;
}
-
static int SizeExpected;
static int SizeRead;
static int ReadSizeField(int size)
{
SizeExpected = size;
- SizeRead = hmem->read4b();
+ if (!hmem->read4b(SizeRead))
+ return -1;
if (hmem->state())
return -1;
return SizeRead;
}
-
static bool SkipUnusedField(void)
{
return (SizeExpected < SizeRead) ?
@@ -179,62 +178,93 @@ static bool SkipUnusedField(void)
#define HDOFILE_HAS_NEXT 0x01
#define HDOFILE_HAS_CHILD 0x02
-static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info)
+static bool LoadCommonHeader(HWPDrawingObject * hdo, unsigned short * link_info)
{
uint size, common_size;
- if( !hmem )
- return FALSE;
- size = hmem->read4b();
+ if (!hmem)
+ return false;
+ if (!hmem->read4b(size))
+ return false;
if (hmem->state())
- {
- return FALSE;
- }
+ return false;
if (size < HDOFILE_COMMON_SIZE)
- {
- return FALSE;
- }
+ return false;
common_size = HDOFILE_COMMON_SIZE;
- hdo->type = hmem->read2b();
- *link_info = sal::static_int_cast<WORD>(hmem->read2b());
- hdo->offset.x = hmem->read4b();
- hdo->offset.y = hmem->read4b();
- hdo->extent.w = hmem->read4b();
- hdo->extent.h = hmem->read4b();
- hdo->offset2.x = hmem->read4b();
- hdo->offset2.y = hmem->read4b();
+ unsigned short tmp16;
+ if (!hmem->read2b(tmp16))
+ return false;
+ hdo->type = tmp16;
+ if (!hmem->read2b(tmp16))
+ return false;
+ *link_info = tmp16;
+ if (!hmem->read4b(hdo->offset.x))
+ return false;
+ if (!hmem->read4b(hdo->offset.y))
+ return false;
+ if (!hmem->read4b(hdo->extent.w))
+ return false;
+ if (!hmem->read4b(hdo->extent.h))
+ return false;
+ if (!hmem->read4b(hdo->offset2.x))
+ return false;
+ if (!hmem->read4b(hdo->offset2.y))
+ return false;
if (hmem->state())
- return FALSE;
+ return false;
- hdo->vrect.x = hmem->read4b();
- hdo->vrect.y = hmem->read4b();
- hdo->vrect.w = hmem->read4b();
- hdo->vrect.h = hmem->read4b();
+ if (!hmem->read4b(hdo->vrect.x))
+ return false;
+ if (!hmem->read4b(hdo->vrect.y))
+ return false;
+ if (!hmem->read4b(hdo->vrect.w))
+ return false;
+ if (!hmem->read4b(hdo->vrect.h))
+ return false;
// read bare property 44 bytes
- hdo->property.line_pstyle = hmem->read4b();
- hdo->property.line_hstyle = hmem->read4b();
- hdo->property.line_tstyle = hmem->read4b();
- hdo->property.line_color = hmem->read4b();
- hdo->property.line_width = (hunit) hmem->read4b();
- hdo->property.fill_color = hmem->read4b();
- hdo->property.pattern_type = hmem->read4b();
- hdo->property.pattern_color = hmem->read4b();
- hdo->property.hmargin = (hunit) hmem->read4b();
- hdo->property.vmargin = (hunit) hmem->read4b();
- hdo->property.flag = hmem->read4b();
-// read ratation property 32 bytes
+ if (!hmem->read4b(hdo->property.line_pstyle))
+ return false;
+ if (!hmem->read4b(hdo->property.line_hstyle))
+ return false;
+ if (!hmem->read4b(hdo->property.line_tstyle))
+ return false;
+ if (!hmem->read4b(hdo->property.line_color))
+ return false;
+ unsigned int tmp32;
+ if (!hmem->read4b(tmp32))
+ return false;
+ hdo->property.line_width = static_cast<hunit>(tmp32);
+ if (!hmem->read4b(hdo->property.fill_color))
+ return false;
+ if (!hmem->read4b(hdo->property.pattern_type))
+ return false;
+ if (!hmem->read4b(hdo->property.pattern_color))
+ return false;
+ if (!hmem->read4b(tmp32))
+ return false;
+ hdo->property.hmargin = static_cast<hunit>(tmp32);
+ if (!hmem->read4b(tmp32))
+ return false;
+ hdo->property.vmargin = static_cast<hunit>(tmp32);
+ if (!hmem->read4b(hdo->property.flag))
+ return false;
+// read rotation property 32 bytes
if ((size >= common_size + 32)
&& (hdo->property.flag & HWPDO_FLAG_ROTATION))
{
- hdo->property.rot_originx = hmem->read4b();
- hdo->property.rot_originy = hmem->read4b();
- for (int ii = 0; ii < 3; ii++)
+ if (!hmem->read4b(hdo->property.rot_originx))
+ return false;
+ if (!hmem->read4b(hdo->property.rot_originy))
+ return false;
+ for (int ii = 0; ii < 3; ++ii)
{
- hdo->property.parall.pt[ii].x = hmem->read4b();
- hdo->property.parall.pt[ii].y = hmem->read4b();
+ if (!hmem->read4b(hdo->property.parall.pt[ii].x))
+ return false;
+ if (!hmem->read4b(hdo->property.parall.pt[ii].y))
+ return false;
}
common_size += 32;
}
@@ -245,13 +275,20 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info)
if ((size >= common_size + 28) &&
(hdo->property.flag & HWPDO_FLAG_GRADATION))
{
- hdo->property.fromcolor = hmem->read4b();
- hdo->property.tocolor = hmem->read4b();
- hdo->property.gstyle = hmem->read4b();
- hdo->property.angle = hmem->read4b();
- hdo->property.center_x = hmem->read4b();
- hdo->property.center_y = hmem->read4b();
- hdo->property.nstep = hmem->read4b();
+ if (!hmem->read4b(hdo->property.fromcolor))
+ return false;
+ if (!hmem->read4b(hdo->property.tocolor))
+ return false;
+ if (!hmem->read4b(hdo->property.gstyle))
+ return false;
+ if (!hmem->read4b(hdo->property.angle))
+ return false;
+ if (!hmem->read4b(hdo->property.center_x))
+ return false;
+ if (!hmem->read4b(hdo->property.center_y))
+ return false;
+ if (!hmem->read4b(hdo->property.nstep))
+ return false;
common_size += 28;
}
@@ -259,54 +296,67 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, WORD * link_info)
if ((size >= common_size + 278) && \
(hdo->property.flag & HWPDO_FLAG_BITMAP))
{
- hdo->property.offset1.x = hmem->read4b();
- hdo->property.offset1.y = hmem->read4b();
- hdo->property.offset2.x = hmem->read4b();
- hdo->property.offset2.y = hmem->read4b();
+ if (!hmem->read4b(hdo->property.offset1.x))
+ return false;
+ if (!hmem->read4b(hdo->property.offset1.y))
+ return false;
+ if (!hmem->read4b(hdo->property.offset2.x))
+ return false;
+ if (!hmem->read4b(hdo->property.offset2.y))
+ return false;
if (!hmem->readBlock(hdo->property.szPatternFile, 261))
- return FALSE;
- hdo->property.pictype = sal::static_int_cast<char>(hmem->read1b());
+ return false;
+ if (!hmem->read1b(hdo->property.pictype))
+ return false;
common_size += 278;
}
if( ( size >= common_size + 3 ) && ( hdo->property.flag & HWPDO_FLAG_WATERMARK ) )
//if( ( size >= common_size ) && ( hdo->property.flag >> 20 & 0x01 ) )
{
- if( size - common_size >= 5 )
- hmem->skipBlock( 2 );
- hdo->property.luminance = hmem->read1b();
- hdo->property.contrast = hmem->read1b();
- hdo->property.greyscale = hmem->read1b();
- common_size += 5;
- }
- else{
- hdo->property.luminance = 0;
- hdo->property.contrast = 0;
- hdo->property.greyscale = 0;
+ if (size - common_size >= 5)
+ hmem->skipBlock(2);
+ unsigned char tmp8;
+ if (!hmem->read1b(tmp8))
+ return false;
+ hdo->property.luminance = tmp8;
+ if (!hmem->read1b(tmp8))
+ return false;
+ hdo->property.contrast = tmp8;
+ if (!hmem->read1b(tmp8))
+ return false;
+ hdo->property.greyscale = tmp8;
+
+ common_size += 5;
+ }
+ else
+ {
+ hdo->property.luminance = 0;
+ hdo->property.contrast = 0;
+ hdo->property.greyscale = 0;
}
- hdo->property.pPara = 0L;
+ hdo->property.pPara = 0L;
- if( ( size > common_size ) && (hdo->property.flag & HWPDO_FLAG_AS_TEXTBOX) )
- {
- hmem->skipBlock(8);
- hdo->property.pPara = LoadParaList();
- if( hdo->property.pPara )
- return TRUE;
- else
- return FALSE;
+ if( ( size > common_size ) && (hdo->property.flag & HWPDO_FLAG_AS_TEXTBOX) )
+ {
+ hmem->skipBlock(8);
+ hdo->property.pPara = LoadParaList();
+ if( hdo->property.pPara )
+ return true;
+ else
+ return false;
}
- if( size <= common_size )
- return TRUE;
+ if (size <= common_size)
+ return true;
return hmem->skipBlock(size - common_size ) != 0;
}
-
static HWPDrawingObject *LoadDrawingObject(void)
{
HWPDrawingObject *hdo, *head, *prev;
int res;
- WORD link_info;
+ unsigned short link_info;
head = prev = NULL;
do
@@ -365,6 +415,11 @@ static HWPDrawingObject *LoadDrawingObject(void)
if (hdo != NULL)
{
+ if (hdo->type < 0 || hdo->type >= HWPDO_NITEMS)
+ {
+ hdo->type = HWPDO_RECT;
+ }
+
HWPDOFunc(hdo, OBJFUNC_FREE, NULL, 0);
delete hdo;
}
@@ -380,17 +435,25 @@ static HWPDrawingObject *LoadDrawingObject(void)
static bool LoadDrawingObjectBlock(Picture * pic)
{
- int size = hmem->read4b();
+ int size;
+ if (!hmem->read4b(size))
+ return false;
if (hmem->state() || size < HDOFILE_HEADER_SIZE)
return false;
- pic->picinfo.picdraw.zorder = hmem->read4b();
- pic->picinfo.picdraw.mbrcnt = hmem->read4b();
- pic->picinfo.picdraw.vrect.x = hmem->read4b();
- pic->picinfo.picdraw.vrect.y = hmem->read4b();
- pic->picinfo.picdraw.vrect.w = hmem->read4b();
- pic->picinfo.picdraw.vrect.h = hmem->read4b();
+ if (!hmem->read4b(pic->picinfo.picdraw.zorder))
+ return false;
+ if (!hmem->read4b(pic->picinfo.picdraw.mbrcnt))
+ return false;
+ if (!hmem->read4b(pic->picinfo.picdraw.vrect.x))
+ return false;
+ if (!hmem->read4b(pic->picinfo.picdraw.vrect.y))
+ return false;
+ if (!hmem->read4b(pic->picinfo.picdraw.vrect.w))
+ return false;
+ if (!hmem->read4b(pic->picinfo.picdraw.vrect.h))
+ return false;
if (size > HDOFILE_HEADER_SIZE &&
!hmem->skipBlock(size - HDOFILE_HEADER_SIZE))
@@ -402,9 +465,7 @@ static bool LoadDrawingObjectBlock(Picture * pic)
return true;
}
-
// object manipulation function
-
static int
HWPDODefaultFunc(int , HWPDrawingObject * , int cmd, void *, int)
{
@@ -413,7 +474,6 @@ HWPDODefaultFunc(int , HWPDrawingObject * , int cmd, void *, int)
return OBJRET_FILE_OK;
}
-
static int
HWPDOLineFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv)
{
@@ -423,7 +483,8 @@ HWPDOLineFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv)
case OBJFUNC_LOAD:
if (ReadSizeField(4) < 4)
return OBJRET_FILE_ERROR;
- hdo->u.line_arc.flip = hmem->read4b();
+ if (!hmem->read4b(hdo->u.line_arc.flip))
+ return OBJRET_FILE_ERROR;
if (hmem->state())
return OBJRET_FILE_ERROR;
if (!SkipUnusedField())
@@ -466,11 +527,14 @@ int cmd, void *argp, int argv)
case OBJFUNC_LOAD:
if (ReadSizeField(16) < 16)
return OBJRET_FILE_ERROR;
- hdo->u.arc.radial[0].x = hmem->read4b();
- hdo->u.arc.radial[0].y = hmem->read4b();
- hdo->u.arc.radial[1].x = hmem->read4b();
- hdo->u.arc.radial[1].y = hmem->read4b();
-
+ if (!hmem->read4b(hdo->u.arc.radial[0].x))
+ return OBJRET_FILE_ERROR;
+ if (!hmem->read4b(hdo->u.arc.radial[0].y))
+ return OBJRET_FILE_ERROR;
+ if (!hmem->read4b(hdo->u.arc.radial[1].x))
+ return OBJRET_FILE_ERROR;
+ if (!hmem->read4b(hdo->u.arc.radial[1].y))
+ return OBJRET_FILE_ERROR;
if (ReadSizeField(0) < 0)
return OBJRET_FILE_ERROR;
break;
@@ -491,7 +555,8 @@ HWPDOArcFunc(int type, HWPDrawingObject * hdo, int cmd, void *argp, int argv)
case OBJFUNC_LOAD:
if (ReadSizeField(4) < 4)
return OBJRET_FILE_ERROR;
- hdo->u.line_arc.flip = hmem->read4b();
+ if (!hmem->read4b(hdo->u.line_arc.flip))
+ return OBJRET_FILE_ERROR;
if (hmem->state())
return OBJRET_FILE_ERROR;
if (!SkipUnusedField())
@@ -532,7 +597,8 @@ int cmd, void *argp, int argv)
hdo->u.freeform.pt = 0;
if (ReadSizeField(4) < 4)
return OBJRET_FILE_ERROR;
- hdo->u.freeform.npt = hmem->read4b();
+ if (!hmem->read4b(hdo->u.freeform.npt))
+ return OBJRET_FILE_ERROR;
if (hmem->state())
return OBJRET_FILE_ERROR;
if (!SkipUnusedField())
@@ -551,11 +617,16 @@ int cmd, void *argp, int argv)
hdo->u.freeform.npt = 0;
return OBJRET_FILE_ERROR;
}
- for (int ii = 0; ii < hdo->u.freeform.npt; ii++)
+ for (int ii = 0; ii < hdo->u.freeform.npt; ++ii)
{
- hdo->u.freeform.pt[ii].x = hmem->read4b();
- hdo->u.freeform.pt[ii].y = hmem->read4b();
+ bool bFailure = false;
+ if (!hmem->read4b(hdo->u.freeform.pt[ii].x))
+ bFailure = true;
+ if (!hmem->read4b(hdo->u.freeform.pt[ii].y))
+ bFailure = true;
if (hmem->state())
+ bFailure = true;
+ if (bFailure)
{
delete[]hdo->u.freeform.pt;
hdo->u.freeform.npt = 0;
diff --git a/hwpfilter/source/hbox.h b/hwpfilter/source/hbox.h
index cde006b..ff449a3 100644
--- a/hwpfilter/source/hbox.h
+++ b/hwpfilter/source/hbox.h
@@ -71,7 +71,7 @@ struct HBox
*/
struct SkipData: public HBox
{
- ulong data_block_len;
+ uint data_block_len;
hchar dummy;
char *data_block;
@@ -631,7 +631,7 @@ struct Picture: public FBox
* follow_block_size is the size information of the Drawing object of hwp.
* It's value is greater than 0 if the pictype is PICTYPE_DRAW.
*/
- ulong follow_block_size; /* 추가정보 길이. */
+ uint follow_block_size; /* 추가정보 길이. */
short dummy1; // to not change structure size */
short dummy2; // to not change structure size */
uchar reserved1;
diff --git a/hwpfilter/source/hinfo.cxx b/hwpfilter/source/hinfo.cxx
index 98f66a5..ee7654d 100644
--- a/hwpfilter/source/hinfo.cxx
+++ b/hwpfilter/source/hinfo.cxx
@@ -85,15 +85,34 @@ bool HWPInfo::Read(HWPFile & hwpf)
hwpf.Read1b(&paper.paper_direction, 1); /* 용지 방향 */
// paper geometry information
- paper.paper_height = (short) hwpf.Read2b(); /* 용지 길이 */
- paper.paper_width = (short) hwpf.Read2b(); /* 용지 너비 */
- paper.top_margin = (short) hwpf.Read2b(); /* 위쪽 여백 */
- paper.bottom_margin = (short) hwpf.Read2b(); /* 아래쪽 여백 */
- paper.left_margin = (short) hwpf.Read2b(); /* 왼쪽 여백 */
- paper.right_margin = (short) hwpf.Read2b(); /* 오른쪽 여백 */
- paper.header_length = (short) hwpf.Read2b(); /* 머리말 길이 */
- paper.footer_length = (short) hwpf.Read2b(); /* 꼬리말 길이 */
- paper.gutter_length = (short) hwpf.Read2b(); /* 제본여백 */
+ unsigned short tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.paper_height = tmp16; /* 용지 길이 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.paper_width = tmp16; /* 용지 너비 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.top_margin = tmp16; /* 위쪽 여백 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.bottom_margin = tmp16; /* 아래쪽 여백 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.left_margin = tmp16; /* 왼쪽 여백 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.right_margin = tmp16; /* 오른쪽 여백 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.header_length = tmp16; /* 머리말 길이 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.footer_length = tmp16; /* 꼬리말 길이 */
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ paper.gutter_length = tmp16; /* 제본여백 */
hwpf.Read2b(&readonly, 1); /* 예약 */
hwpf.Read1b(reserved1, 4); /* 예약 */
hwpf.Read1b(&chain_info.chain_page_no, 1); /* 쪽 번호 연결 1-연결, 0-새로시작 (연결인쇄에서 사용) */
@@ -109,14 +128,25 @@ bool HWPInfo::Read(HWPFile & hwpf)
// footnote
hwpf.Read2b(&beginfnnum,1); /* 각주 시작번호 */
hwpf.Read2b(&countfn,1); /* 각주 갯수 */
- splinetext = (short) hwpf.Read2b();
- splinefn = (short) hwpf.Read2b();
- spfnfn = (short) hwpf.Read2b();
+
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ splinetext = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ splinefn = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ spfnfn = tmp16;
hwpf.Read1b(&fnchar, 1);
hwpf.Read1b(&fnlinetype, 1);
// border layout
for (int ii = 0; ii < 4; ++ii)
- bordermargin[ii] = (short) hwpf.Read2b();
+ {
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ bordermargin[ii] = tmp16;
+ }
hwpf.Read2b(&borderline, 1);
hwpf.Read1b(&empty_line_hide, 1);
@@ -171,12 +201,23 @@ bool HWPSummary::Read(HWPFile & hwpf)
bool ParaShape::Read(HWPFile & hwpf)
{
- pagebreak = 0;
- left_margin = (short) hwpf.Read2b();
- right_margin = (short) hwpf.Read2b();
- indent = (short) hwpf.Read2b();
- lspacing = (short) hwpf.Read2b();
- pspacing_next = (short) hwpf.Read2b();
+ pagebreak = 0;
+ unsigned short tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ left_margin = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ right_margin = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ indent = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ lspacing = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ pspacing_next = tmp16;
hwpf.Read1b(&condense, 1);
hwpf.Read1b(&arrange_type, 1);
@@ -184,17 +225,27 @@ bool ParaShape::Read(HWPFile & hwpf)
{
hwpf.Read1b(&tabs[ii].type, 1);
hwpf.Read1b(&tabs[ii].dot_continue, 1);
- tabs[ii].position = (short) hwpf.Read2b();
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ tabs[ii].position = tmp16;
}
hwpf.Read1b(&coldef.ncols, 1);
hwpf.Read1b(&coldef.separator, 1);
- coldef.spacing = (short) hwpf.Read2b();
- coldef.columnlen = (short) hwpf.Read2b();
- coldef.columnlen0 = (short) hwpf.Read2b();
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ coldef.spacing = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ coldef.columnlen = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ coldef.columnlen0 = tmp16;
hwpf.Read1b(&shade, 1);
hwpf.Read1b(&outline, 1);
hwpf.Read1b(&outline_continue, 1);
- pspacing_prev = (short) hwpf.Read2b();
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ pspacing_prev = tmp16;
hwpf.Read1b(reserved, 2);
return (!hwpf.State());
@@ -203,7 +254,10 @@ bool ParaShape::Read(HWPFile & hwpf)
bool CharShape::Read(HWPFile & hwpf)
{
- size = (short) hwpf.Read2b();
+ unsigned short tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ size = tmp16;
hwpf.Read1b(font, NLanguage);
hwpf.Read1b(ratio, NLanguage);
hwpf.Read1b(space, NLanguage);
diff --git a/hwpfilter/source/hiodev.cxx b/hwpfilter/source/hiodev.cxx
index 5de1b5c..af51a9b 100644
--- a/hwpfilter/source/hiodev.cxx
+++ b/hwpfilter/source/hiodev.cxx
@@ -64,14 +64,14 @@ int HIODev::read1b(void *ptr, int nmemb)
return -1;
for (ii = 0; ii < nmemb; ii++)
{
- p[ii] = sal::static_int_cast<uchar>(read1b());
+ if (!read1b(p[ii]))
+ break;
if (state())
break;
}
return ii;
}
-
int HIODev::read2b(void *ptr, int nmemb)
{
ushort *p = (ushort *) ptr;
@@ -81,24 +81,25 @@ int HIODev::read2b(void *ptr, int nmemb)
return -1;
for (ii = 0; ii < nmemb; ii++)
{
- p[ii] = sal::static_int_cast<uchar>(read2b());
+ if (!read2b(p[ii]))
+ break;
if (state())
break;
}
return ii;
}
-
int HIODev::read4b(void *ptr, int nmemb)
{
- ulong *p = (ulong *) ptr;
+ uint *p = (uint *) ptr;
int ii;
if (state())
return -1;
for (ii = 0; ii < nmemb; ii++)
{
- p[ii] = read4b();
+ if (!read4b(p[ii]))
+ break;
if (state())
break;
}
@@ -179,39 +180,57 @@ bool HStreamIODev::setCompressed(bool flag)
#define GZREAD(ptr,len) (_gzfp?gz_read(_gzfp,ptr,len):0)
-int HStreamIODev::read1b()
+bool HStreamIODev::read1b(unsigned char &out)
{
int res = (compressed) ? GZREAD(rBuf, 1) : _stream.readBytes(rBuf, 1);
- if (res <= 0)
- return -1;
- else
- return (unsigned char) rBuf[0];
+ if (res < 1)
+ return false;
+
+ out = (unsigned char)rBuf[0];
+ return true;
}
+bool HStreamIODev::read1b(char &out)
+{
+ unsigned char tmp8;
+ if (!read1b(tmp8))
+ return false;
+ out = tmp8;
+ return true;
+}
-int HStreamIODev::read2b()
+bool HStreamIODev::read2b(unsigned short &out)
{
int res = (compressed) ? GZREAD(rBuf, 2) : _stream.readBytes(rBuf, 2);
- if (res <= 0)
- return -1;
- else
- return ((unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]);
-}
+ if (res < 2)
+ return false;
+ out = ((unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]);
+ return true;
+}
-long HStreamIODev::read4b()
+bool HStreamIODev::read4b(unsigned int &out)
{
int res = (compressed) ? GZREAD(rBuf, 4) : _stream.readBytes(rBuf, 4);
- if (res <= 0)
- return -1;
- else
- return ((unsigned char) rBuf[3] << 24 | (unsigned char) rBuf[2] << 16 |
- (unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]);
+ if (res < 4)
+ return false;
+
+ out = ((unsigned char) rBuf[3] << 24 | (unsigned char) rBuf[2] << 16 |
+ (unsigned char) rBuf[1] << 8 | (unsigned char) rBuf[0]);
+ return true;
}
+bool HStreamIODev::read4b(int &out)
+{
+ unsigned int tmp32;
+ if (!read4b(tmp32))
+ return false;
+ out = tmp32;
+ return true;
+}
int HStreamIODev::readBlock(void *ptr, int size)
{
@@ -223,7 +242,6 @@ int HStreamIODev::readBlock(void *ptr, int size)
return count;
}
-
int HStreamIODev::skipBlock(int size)
{
if (compressed){
@@ -298,36 +316,56 @@ bool HMemIODev::setCompressed(bool )
return false;
}
-
-int HMemIODev::read1b()
+bool HMemIODev::read1b(unsigned char &out)
{
if (pos <= length)
- return ptr[pos++];
- else
- return 0;
+ {
+ out = ptr[pos++];
+ return true;
+ }
+ return false;
}
+bool HMemIODev::read1b(char &out)
+{
+ unsigned char tmp8;
+ if (!read1b(tmp8))
+ return false;
+ out = tmp8;
+ return true;
+}
-int HMemIODev::read2b()
+bool HMemIODev::read2b(unsigned short &out)
{
pos += 2;
if (pos <= length)
- return ptr[pos - 1] << 8 | ptr[pos - 2];
- else
- return 0;
+ {
+ out = ptr[pos - 1] << 8 | ptr[pos - 2];
+ return true;
+ }
+ return false;
}
-
-long HMemIODev::read4b()
+bool HMemIODev::read4b(unsigned int &out)
{
pos += 4;
if (pos <= length)
- return DWORD(ptr[pos - 1] << 24 | ptr[pos - 2] << 16 |
- ptr[pos - 3] << 8 | ptr[pos - 4]);
- else
- return 0;
+ {
+ out = static_cast<unsigned int>(ptr[pos - 1] << 24 | ptr[pos - 2] << 16 |
+ ptr[pos - 3] << 8 | ptr[pos - 4]);
+ return true;
+ }
+ return false;
}
+bool HMemIODev::read4b(int &out)
+{
+ unsigned int tmp32;
+ if (!read4b(tmp32))
+ return false;
+ out = tmp32;
+ return true;
+}
int HMemIODev::readBlock(void *p, int size)
{
@@ -338,7 +376,6 @@ int HMemIODev::readBlock(void *p, int size)
return size;
}
-
int HMemIODev::skipBlock(int size)
{
if (length < pos + size)
diff --git a/hwpfilter/source/hiodev.h b/hwpfilter/source/hiodev.h
index ac0ded7..e71eb47 100644
--- a/hwpfilter/source/hiodev.h
+++ b/hwpfilter/source/hiodev.h
@@ -46,9 +46,11 @@ class DLLEXPORT HIODev
/* gzip routine wrapper */
virtual bool setCompressed( bool ) = 0;
- virtual int read1b() = 0;
- virtual int read2b() = 0;
- virtual long read4b() = 0;
+ virtual bool read1b(unsigned char &out) = 0;
+ virtual bool read1b(char &out) = 0;
+ virtual bool read2b(unsigned short &out) = 0;
+ virtual bool read4b(unsigned int &out) = 0;
+ virtual bool read4b(int &out) = 0;
virtual int readBlock( void *ptr, int size ) = 0;
virtual int skipBlock( int size ) = 0;
@@ -59,7 +61,7 @@ class DLLEXPORT HIODev
struct gz_stream;
-/* ÆÄÀÏ ÀÔÃâ·Â ÀåÄ¡ */
+/* 督析 脊窒径 舌帖 */
/**
* This controls the HStream given by constructor
@@ -68,7 +70,7 @@ struct gz_stream;
class HStreamIODev : public HIODev
{
private:
-/* zlibÀ¸·Î ¾ÐÃàÀ» Ç®±â À§ÇÑ ÀÚ·á ±¸Á¶ */
+/* zlib生稽 笑逐聖 熱奄 是廃 切戟 姥繕 */
gz_stream *_gzfp;
HStream& _stream;
public:
@@ -98,17 +100,19 @@ class HStreamIODev : public HIODev
* Read one byte from stream
*/
using HIODev::read1b;
- virtual int read1b();
+ virtual bool read1b(unsigned char &out);
+ virtual bool read1b(char &out);
/**
* Read 2 bytes from stream
*/
using HIODev::read2b;
- virtual int read2b();
+ virtual bool read2b(unsigned short &out);
/**
* Read 4 bytes from stream
*/
using HIODev::read4b;
- virtual long read4b();
+ virtual bool read4b(unsigned int &out);
+ virtual bool read4b(int &out);
/**
* Read some bytes from stream to given pointer as amount of size
*/
@@ -124,7 +128,7 @@ class HStreamIODev : public HIODev
virtual void init();
};
-/* ¸Þ¸ð¸® ÀÔÃâ·Â ÀåÄ¡ */
+/* 五乞軒 脊窒径 舌帖 */
/**
* The HMemIODev class controls the Input/Output device.
* @short Memory IO device
@@ -144,16 +148,18 @@ class HMemIODev : public HIODev
/* gzip routine wrapper */
virtual bool setCompressed( bool );
using HIODev::read1b;
- virtual int read1b();
+ virtual bool read1b(unsigned char &out);
+ virtual bool read1b(char &out);
using HIODev::read2b;
- virtual int read2b();
+ virtual bool read2b(unsigned short &out);
using HIODev::read4b;
- virtual long read4b();
+ virtual bool read4b(unsigned int &out);
+ virtual bool read4b(int &out);
virtual int readBlock( void *ptr, int size );
virtual int skipBlock( int size );
protected:
virtual void init();
};
-#endif /* _HIODEV_H_*/
+#endif // INCLUDED_HWPFILTER_SOURCE_HIODEV_H
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/hwpfilter/source/hpara.cxx b/hwpfilter/source/hpara.cxx
index bc17e0c..66abf78 100644
--- a/hwpfilter/source/hpara.cxx
+++ b/hwpfilter/source/hpara.cxx
@@ -31,14 +31,28 @@
bool LineInfo::Read(HWPFile & hwpf, HWPPara *pPara)
{
- pos = sal::static_int_cast<unsigned short>(hwpf.Read2b());
- space_width = (short) hwpf.Read2b();
- height = (short) hwpf.Read2b();
+ if (!hwpf.Read2b(pos))
+ return false;
+ unsigned short tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ space_width = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ height = tmp16;
// internal information
- pgy = (short) hwpf.Read2b();
- sx = (short) hwpf.Read2b();
- psx = (short) hwpf.Read2b();
- pex = (short) hwpf.Read2b();
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ pgy = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ sx = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ psx = tmp16;
+ if (!hwpf.Read2b(tmp16))
+ return false;
+ pex = tmp16;
height_sp = 0;
if( pex >> 15 & 0x01 )
@@ -210,7 +224,10 @@ ParaShape *HWPPara::GetParaShape(void)
HBox *HWPPara::readHBox(HWPFile & hwpf)
{
- hchar hh = sal::static_int_cast<hchar>(hwpf.Read2b());
+ hchar hh;
+ if (!hwpf.Read2b(hh))
+ return 0;
+
HBox *hbox = 0;
if (hwpf.State() != HWP_NoError)
... etc. - the rest is truncated
More information about the Libreoffice-commits
mailing list