[openoffice.org] Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
Caolan McNamara
caolanm at fedoraproject.org
Thu Aug 12 10:29:42 UTC 2010
commit cf9a3d30a5c4b43f6c1dd593f738d1ab056cf68f
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 12 11:29:21 2010 +0100
Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
openoffice.org.spec | 5 +-
workspace.impress197.patch | 203 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 207 insertions(+), 1 deletions(-)
---
diff --git a/openoffice.org.spec b/openoffice.org.spec
index 65d4565..bcbf5c5 100644
--- a/openoffice.org.spec
+++ b/openoffice.org.spec
@@ -1,6 +1,6 @@
%define oootag OOO330
%define ooomilestone 3
-%define rh_rpm_release 3
+%define rh_rpm_release 4
# rhbz#465664 jar-repacking breaks help by reordering META-INF/MANIFEST.MF
%define __jar_repack %{nil}
@@ -3783,6 +3783,9 @@ unopkg remove --shared org.openoffice.legacy.ScriptProviderForPython.zip > /dev/
%endif
%changelog
+* Thu Aug 12 2010 Caolán McNamara <caolanm at redhat.com> - 1:3.3.0-3.4
+- Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
+
* Tue Aug 10 2010 Caolán McNamara <caolanm at redhat.com> - 1:3.3.0-3.3
- Resolves: rhbz#620574 Presentation for coccinelle: Start slide is a
complete mess (dtardon)
diff --git a/workspace.impress197.patch b/workspace.impress197.patch
index 226d008..dee04ef 100644
--- a/workspace.impress197.patch
+++ b/workspace.impress197.patch
@@ -16,3 +16,206 @@ diff -r adad3ddc53f1 -r 892165edd2a7 sd/source/core/sdpage.cxx
return pObj;
+diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+--- a/sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
++++ b/sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -29,6 +29,7 @@
+ #include "precompiled_sd.hxx"
+ #include <propread.hxx>
+ #include <tools/bigint.hxx>
++#include "tools/debug.hxx"
+ #include "rtl/tencinfo.h"
+ #include "rtl/textenc.h"
+
+@@ -90,6 +91,17 @@
+
+ // -----------------------------------------------------------------------
+
++static xub_StrLen lcl_getMaxSafeStrLen(sal_uInt32 nSize)
++{
++ nSize -= 1; //Drop NULL terminator
++
++ //If it won't fit in a string, clip it to the max size that does
++ if (nSize > STRING_MAXLEN)
++ nSize = STRING_MAXLEN;
++
++ return nSize;
++}
++
+ BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
+ {
+ sal_uInt32 i, nItemSize, nType, nItemPos;
+@@ -108,36 +120,43 @@
+ {
+ case VT_LPSTR :
+ {
+- if ( (sal_uInt16)nItemSize )
++ if ( nItemSize )
+ {
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nItemSize >>= 1;
+- if ( (sal_uInt16)nItemSize > 1 )
++ sal_Char* pString = new sal_Char[ nItemSize ];
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+ {
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pWString[ i ];
+- rString = String( pWString, (sal_uInt16)nItemSize - 1 );
+- }
+- else
+- rString = String();
+- bRetValue = sal_True;
+- }
+- else
+- {
+- SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
+- if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
+- {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( ByteString( pString ), mnTextEnc );
++ nItemSize >>= 1;
++ if ( nItemSize > 1 )
++ {
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pWString[ i ];
++ rString = String( pWString, lcl_getMaxSafeStrLen(nItemSize) );
++ }
+ else
+ rString = String();
+ bRetValue = sal_True;
+ }
++ else
++ {
++ SvMemoryStream::Read( pString, nItemSize );
++ if ( pString[ nItemSize - 1 ] == 0 )
++ {
++ if ( nItemSize > 1 )
++ rString = String( ByteString( pString ), mnTextEnc );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign )
+ SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 ); // dword align
+@@ -148,18 +167,25 @@
+ {
+ if ( nItemSize )
+ {
+- sal_Unicode* pString = new sal_Unicode[ (sal_uInt16)nItemSize ];
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pString[ i ];
+- if ( pString[ i - 1 ] == 0 )
++ try
+ {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( pString, (sal_uInt16)nItemSize - 1 );
+- else
+- rString = String();
+- bRetValue = sal_True;
++ sal_Unicode* pString = new sal_Unicode[ nItemSize ];
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pString[ i ];
++ if ( pString[ i - 1 ] == 0 )
++ {
++ if ( (sal_uInt16)nItemSize > 1 )
++ rString = String( pString, lcl_getMaxSafeStrLen(nItemSize) );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign && ( nItemSize & 1 ) )
+ SeekRel( 2 ); // dword align
+@@ -349,24 +375,31 @@
+ for ( sal_uInt32 i = 0; i < nDictCount; i++ )
+ {
+ aStream >> nId >> nSize;
+- if ( (sal_uInt16)nSize )
++ if ( nSize )
+ {
+ String aString;
+ nPos = aStream.Tell();
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
+- aStream.Read( pString, (sal_uInt16)nSize );
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nSize >>= 1;
+- aStream.Seek( nPos );
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nSize; i++ )
+- aStream >> pWString[ i ];
+- aString = String( pWString, (sal_uInt16)nSize - 1 );
++ sal_Char* pString = new sal_Char[ nSize ];
++ aStream.Read( pString, nSize );
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ {
++ nSize >>= 1;
++ aStream.Seek( nPos );
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nSize; i++ )
++ aStream >> pWString[ i ];
++ aString = String( pWString, lcl_getMaxSafeStrLen(nSize) );
++ }
++ else
++ aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
++ delete[] pString;
+ }
+- else
+- aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
++ }
+ if ( !aString.Len() )
+ break;
+ aDict.AddProperty( nId, aString );
+@@ -500,6 +533,11 @@
+ }
+ if ( nPropSize )
+ {
++ if ( nPropSize > nStrmSize )
++ {
++ nPropCount = 0;
++ break;
++ }
+ pStrm->Seek( nPropOfs + nSecOfs );
+ sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
+ pStrm->Read( pBuf, nPropSize );
+diff -r 5b1ceed28385 tools/source/generic/poly.cxx
+--- a/tools/source/generic/poly.cxx Fri Aug 06 14:53:07 2010 +0200
++++ b/tools/source/generic/poly.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -243,6 +243,11 @@
+ void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon* pInitPoly )
+ {
+ const ULONG nSpaceSize = nSpace * sizeof( Point );
++
++ //Can't fit this in :-(, throw ?
++ if (mnPoints + nSpace > USHRT_MAX)
++ return;
++
+ const USHORT nNewSize = mnPoints + nSpace;
+
+ if( nPos >= mnPoints )
More information about the scm-commits
mailing list