1--- misc/hunspell-1.3.3/src/hunspell/affixmgr.cxx 2010-02-27 12:59:53.000000000 +0100 2+++ misc/build/hunspell-1.3.3/src/hunspell/affixmgr.cxx 2011-05-18 16:29:45.919141893 +0200 3@@ -8,6 +8,8 @@ 4 5 #include <vector> 6 7+#include <limits> 8+ 9 #include "affixmgr.hxx" 10 #include "affentry.hxx" 11 #include "langnum.hxx" 12@@ -4238,7 +4240,10 @@ 13 case 3: { 14 np++; 15 numents = atoi(piece); 16- if (numents == 0) { 17+ if ((numents <= 0) || 18+ ((::std::numeric_limits<size_t>::max() 19+ / sizeof(struct affentry)) < numents)) 20+ { 21 char * err = pHMgr->encode_flag(aflag); 22 if (err) { 23 HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n", 24--- misc/hunspell-1.3.3/src/tools/munch.c 2010-02-27 21:49:49.000000000 +0100 25+++ misc/build/hunspell-1.3.3/src/tools/munch.c 2011-05-18 15:53:53.427072106 +0200 26@@ -4,6 +4,7 @@ 27 #include <string.h> 28 #include <unistd.h> 29 #include <stdlib.h> 30+#include <stdint.h> 31 #include <stdio.h> 32 #include <sys/types.h> 33 #include <sys/stat.h> 34@@ -235,10 +235,19 @@ 35 case 1: { achar = *piece; break; } 36 case 2: { if (*piece == 'Y') ff = XPRODUCT; break; } 37 case 3: { numents = atoi(piece); 38- ptr = malloc(numents * sizeof(struct affent)); 39- ptr->achar = achar; 40- ptr->xpflg = ff; 41- fprintf(stderr,"parsing %c entries %d\n",achar,numents); 42+ if ((numents < 0) || 43+ ((SIZE_MAX/sizeof(struct affent)) < numents)) 44+ { 45+ fprintf(stderr, 46+ "Error: too many entries: %d\n", numents); 47+ numents = 0; 48+ } else { 49+ ptr = malloc(numents * sizeof(struct affent)); 50+ ptr->achar = achar; 51+ ptr->xpflg = ff; 52+ fprintf(stderr,"parsing %c entries %d\n", 53+ achar,numents); 54+ } 55 break; 56 } 57 default: break; 58--- misc/hunspell-1.3.3/src/tools/unmunch.c 2010-02-23 15:53:29.000000000 +0100 59+++ misc/build/hunspell-1.3.3/src/tools/unmunch.c 2011-05-18 20:53:43.843599726 +0200 60@@ -6,6 +6,7 @@ 61 #include <string.h> 62 #include <unistd.h> 63 #include <stdlib.h> 64+#include <stdint.h> 65 #include <stdio.h> 66 #include <sys/types.h> 67 #include <sys/stat.h> 68@@ -160,10 +161,19 @@ 69 case 1: { achar = *piece; break; } 70 case 2: { if (*piece == 'Y') ff = XPRODUCT; break; } 71 case 3: { numents = atoi(piece); 72- ptr = malloc(numents * sizeof(struct affent)); 73- ptr->achar = achar; 74- ptr->xpflg = ff; 75- fprintf(stderr,"parsing %c entries %d\n",achar,numents); 76+ if ((numents < 0) || 77+ ((SIZE_MAX/sizeof(struct affent)) < numents)) 78+ { 79+ fprintf(stderr, 80+ "Error: too many entries: %d\n", numents); 81+ numents = 0; 82+ } else { 83+ ptr = malloc(numents * sizeof(struct affent)); 84+ ptr->achar = achar; 85+ ptr->xpflg = ff; 86+ fprintf(stderr,"parsing %c entries %d\n", 87+ achar,numents); 88+ } 89 break; 90 } 91 default: break; 92