Hunspell: fix buffer overflow during morphological analysis

affected: thesaurus usage in a Hungarian document

test case: press Ctrl+F7 on the word "művészegyéniség"

Change-Id: I024568e81265c4ce3e05f718bf9147229416ab73

2 files changed, 31 insertions, 0 deletions

diff --git a/external/hunspell/UnpackedTarball_hunspell.mk b/external/hunspell/UnpackedTarball_hunspell.mk
index 96c85bb70801..9acfd9576d2f 100644
--- a/external/hunspell/UnpackedTarball_hunspell.mk
+++ b/external/hunspell/UnpackedTarball_hunspell.mk
@@ -18,6 +18,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,hunspell,\
 	external/hunspell/hunspell-1.3.2-nullptr.patch \
 	external/hunspell/hunspell-1.3.2-literal.patch \
 	external/hunspell/hunspell-fdo48017-wfopen.patch \
+	external/hunspell/hunspell-morph-overflow.patch \
 ))
 
 ifeq ($(COM),MSC)
diff --git a/external/hunspell/hunspell-morph-overflow.patch b/external/hunspell/hunspell-morph-overflow.patch
new file mode 100644
index 000000000000..fe7c4f72530d
--- /dev/null
+++ b/external/hunspell/hunspell-morph-overflow.patch
@@ -0,0 +1,30 @@
+--- hunspell/src/hunspell/affixmgr.cxx	2014-09-24 16:11:10.750421303 +0200
++++ build/hunspell/src/hunspell/affixmgr.cxx	2014-09-26 15:25:09.448688908 +0200
+@@ -2400,8 +2400,10 @@
+                       }
+                       mystrcat(*result, presult, MAXLNLEN);
+                       if (m || (*m != '\0')) {
+-                        sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
++                        char m2[MAXLNLEN];
++                        sprintf(m2, "%c%s%s%s", MSEP_FLD,
+                             MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
++                        mystrcat(*result, m2, MAXLNLEN);
+                       }
+                       if (m) free(m);
+                       mystrcat(*result, "\n", MAXLNLEN);
+@@ -2481,11 +2483,13 @@
+                       }
+                       mystrcat(*result, presult, MAXLNLEN);
+                       if (m && (*m != '\0')) {
+-                        sprintf(*result + strlen(*result), "%c%s%s%s", MSEP_FLD,
++                        char m2[MAXLNLEN];
++                        sprintf(m2, "%c%s%s%s", MSEP_FLD,
+                             MORPH_PART, word + i, line_uniq_app(&m, MSEP_REC));
++                        mystrcat(*result, m2, MAXLNLEN);
+                       }
+                       if (m) free(m);
+-                      sprintf(*result + strlen(*result), "%c", MSEP_REC);
++                      if (strlen(*result) + 1 < MAXLNLEN) sprintf(*result + strlen(*result), "%c", MSEP_REC);
+                       ok = 1;
+             }
+