[openoffice.org/f12/master] Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
Caolan McNamara
caolanm at fedoraproject.org
Thu Aug 12 10:37:42 UTC 2010
commit 58de198a6f80ba7852851519d5486855c79b6bfa
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 12 11:37:27 2010 +0100
Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
openoffice.org.spec | 7 +-
workspace.impress197.patch | 221 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 227 insertions(+), 1 deletions(-)
---
diff --git a/openoffice.org.spec b/openoffice.org.spec
index a04861d..2e8c2ce 100644
--- a/openoffice.org.spec
+++ b/openoffice.org.spec
@@ -1,6 +1,6 @@
%define oootag OOO310
%define ooomilestone 19
-%define rh_rpm_release 34
+%define rh_rpm_release 35
# rhbz#465664 jar-repacking breaks help by reordering META-INF/MANIFEST.MF
%define __jar_repack %{nil}
@@ -213,6 +213,7 @@ Patch134: workspace.vcl112.patch
Patch135: openoffice.org-3.2.1.pyuno.patch
Patch136: workspace.gtkfpicker9.patch
Patch137: openoffice.org-3.3.0.ooo112657.sw.rtf.dont-crash-on-merged-cells-without-clmgf.patch
+Patch138: workspace.impress197.patch
%define python_py_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(0)")
%define instdir %{_libdir}
@@ -1819,6 +1820,7 @@ cat %{PATCH11} >> svtools/source/dialogs/localize.sdf
%patch135 -p0 -b .pyuno.patch
%patch136 -p0 -b .workspace.gtkfpicker9.patch
%patch137 -p1 -b .ooo112657.sw.rtf.dont-crash-on-merged-cells-without-clmgf.patch
+%patch138 -p1 -b .workspace.impress197.patch
%build
echo build start time is `date`, diskspace: `df -h . | tail -n 1`
@@ -4364,6 +4366,9 @@ fi
unopkg list --shared > /dev/null 2>&1 || :
%changelog
+* Thu Aug 12 2010 Caolán McNamara <caolanm at redhat.com> - 1:3.1.1-19.35
+- Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
+
* Sat Jul 03 2010 Caolán McNamara <caolanm at redhat.com> - 1:3.1.1-19.34
- Resolves: rhbz#566831 [abrt] crash in GetFrmSize (dtardon)
diff --git a/workspace.impress197.patch b/workspace.impress197.patch
new file mode 100644
index 0000000..dee04ef
--- /dev/null
+++ b/workspace.impress197.patch
@@ -0,0 +1,221 @@
+changeset: 271161:892165edd2a7
+user: Christian Lippka <christian.lippka at sun.com>
+date: Wed Aug 04 10:48:35 2010 +0200
+summary: #i113603# only change layout shape size on init or of user call is set
+
+diff -r adad3ddc53f1 -r 892165edd2a7 sd/source/core/sdpage.cxx
+--- a/sd/source/core/sdpage.cxx Tue Jul 27 13:55:29 2010 +0200
++++ b/sd/source/core/sdpage.cxx Wed Aug 04 10:48:35 2010 +0200
+@@ -2355,7 +2355,7 @@
+ }
+ }
+
+- if ( pObj && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
++ if ( pObj && (pObj->GetUserCall() || bInit) && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
+ pObj->AdjustToMaxRect( aRect );
+
+ return pObj;
+
+diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+--- a/sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
++++ b/sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -29,6 +29,7 @@
+ #include "precompiled_sd.hxx"
+ #include <propread.hxx>
+ #include <tools/bigint.hxx>
++#include "tools/debug.hxx"
+ #include "rtl/tencinfo.h"
+ #include "rtl/textenc.h"
+
+@@ -90,6 +91,17 @@
+
+ // -----------------------------------------------------------------------
+
++static xub_StrLen lcl_getMaxSafeStrLen(sal_uInt32 nSize)
++{
++ nSize -= 1; //Drop NULL terminator
++
++ //If it won't fit in a string, clip it to the max size that does
++ if (nSize > STRING_MAXLEN)
++ nSize = STRING_MAXLEN;
++
++ return nSize;
++}
++
+ BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
+ {
+ sal_uInt32 i, nItemSize, nType, nItemPos;
+@@ -108,36 +120,43 @@
+ {
+ case VT_LPSTR :
+ {
+- if ( (sal_uInt16)nItemSize )
++ if ( nItemSize )
+ {
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nItemSize >>= 1;
+- if ( (sal_uInt16)nItemSize > 1 )
++ sal_Char* pString = new sal_Char[ nItemSize ];
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+ {
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pWString[ i ];
+- rString = String( pWString, (sal_uInt16)nItemSize - 1 );
+- }
+- else
+- rString = String();
+- bRetValue = sal_True;
+- }
+- else
+- {
+- SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
+- if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
+- {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( ByteString( pString ), mnTextEnc );
++ nItemSize >>= 1;
++ if ( nItemSize > 1 )
++ {
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pWString[ i ];
++ rString = String( pWString, lcl_getMaxSafeStrLen(nItemSize) );
++ }
+ else
+ rString = String();
+ bRetValue = sal_True;
+ }
++ else
++ {
++ SvMemoryStream::Read( pString, nItemSize );
++ if ( pString[ nItemSize - 1 ] == 0 )
++ {
++ if ( nItemSize > 1 )
++ rString = String( ByteString( pString ), mnTextEnc );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign )
+ SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 ); // dword align
+@@ -148,18 +167,25 @@
+ {
+ if ( nItemSize )
+ {
+- sal_Unicode* pString = new sal_Unicode[ (sal_uInt16)nItemSize ];
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pString[ i ];
+- if ( pString[ i - 1 ] == 0 )
++ try
+ {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( pString, (sal_uInt16)nItemSize - 1 );
+- else
+- rString = String();
+- bRetValue = sal_True;
++ sal_Unicode* pString = new sal_Unicode[ nItemSize ];
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pString[ i ];
++ if ( pString[ i - 1 ] == 0 )
++ {
++ if ( (sal_uInt16)nItemSize > 1 )
++ rString = String( pString, lcl_getMaxSafeStrLen(nItemSize) );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign && ( nItemSize & 1 ) )
+ SeekRel( 2 ); // dword align
+@@ -349,24 +375,31 @@
+ for ( sal_uInt32 i = 0; i < nDictCount; i++ )
+ {
+ aStream >> nId >> nSize;
+- if ( (sal_uInt16)nSize )
++ if ( nSize )
+ {
+ String aString;
+ nPos = aStream.Tell();
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
+- aStream.Read( pString, (sal_uInt16)nSize );
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nSize >>= 1;
+- aStream.Seek( nPos );
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nSize; i++ )
+- aStream >> pWString[ i ];
+- aString = String( pWString, (sal_uInt16)nSize - 1 );
++ sal_Char* pString = new sal_Char[ nSize ];
++ aStream.Read( pString, nSize );
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ {
++ nSize >>= 1;
++ aStream.Seek( nPos );
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nSize; i++ )
++ aStream >> pWString[ i ];
++ aString = String( pWString, lcl_getMaxSafeStrLen(nSize) );
++ }
++ else
++ aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
++ delete[] pString;
+ }
+- else
+- aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
++ }
+ if ( !aString.Len() )
+ break;
+ aDict.AddProperty( nId, aString );
+@@ -500,6 +533,11 @@
+ }
+ if ( nPropSize )
+ {
++ if ( nPropSize > nStrmSize )
++ {
++ nPropCount = 0;
++ break;
++ }
+ pStrm->Seek( nPropOfs + nSecOfs );
+ sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
+ pStrm->Read( pBuf, nPropSize );
+diff -r 5b1ceed28385 tools/source/generic/poly.cxx
+--- a/tools/source/generic/poly.cxx Fri Aug 06 14:53:07 2010 +0200
++++ b/tools/source/generic/poly.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -243,6 +243,11 @@
+ void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon* pInitPoly )
+ {
+ const ULONG nSpaceSize = nSpace * sizeof( Point );
++
++ //Can't fit this in :-(, throw ?
++ if (mnPoints + nSpace > USHRT_MAX)
++ return;
++
+ const USHORT nNewSize = mnPoints + nSpace;
+
+ if( nPos >= mnPoints )
More information about the scm-commits
mailing list