[openoffice.org/f13/master] Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
Caolan McNamara
caolanm at fedoraproject.org
Thu Aug 12 10:58:21 UTC 2010
commit 1fe004e616ad1c33c49cbab62daafd12004ab9a0
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 12 11:58:08 2010 +0100
Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
workspace.impress197.patch | 71 ++++++++++++++++---------------------------
1 files changed, 27 insertions(+), 44 deletions(-)
---
diff --git a/workspace.impress197.patch b/workspace.impress197.patch
index dee04ef..e736561 100644
--- a/workspace.impress197.patch
+++ b/workspace.impress197.patch
@@ -1,25 +1,7 @@
-changeset: 271161:892165edd2a7
-user: Christian Lippka <christian.lippka at sun.com>
-date: Wed Aug 04 10:48:35 2010 +0200
-summary: #i113603# only change layout shape size on init or of user call is set
-
-diff -r adad3ddc53f1 -r 892165edd2a7 sd/source/core/sdpage.cxx
---- a/sd/source/core/sdpage.cxx Tue Jul 27 13:55:29 2010 +0200
-+++ b/sd/source/core/sdpage.cxx Wed Aug 04 10:48:35 2010 +0200
-@@ -2355,7 +2355,7 @@
- }
- }
-
-- if ( pObj && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
-+ if ( pObj && (pObj->GetUserCall() || bInit) && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
- pObj->AdjustToMaxRect( aRect );
-
- return pObj;
-
diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
--- a/sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
+++ b/sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
-@@ -29,6 +29,7 @@
+@@ -32,6 +32,7 @@
#include "precompiled_sd.hxx"
#include <propread.hxx>
#include <tools/bigint.hxx>
@@ -27,7 +9,7 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
#include "rtl/tencinfo.h"
#include "rtl/textenc.h"
-@@ -90,6 +91,17 @@
+@@ -93,6 +94,17 @@
// -----------------------------------------------------------------------
@@ -45,7 +27,7 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
{
sal_uInt32 i, nItemSize, nType, nItemPos;
-@@ -108,36 +120,43 @@
+@@ -111,36 +123,43 @@
{
case VT_LPSTR :
{
@@ -54,13 +36,10 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
{
- sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-+ try
- {
+- {
- nItemSize >>= 1;
- if ( (sal_uInt16)nItemSize > 1 )
-+ sal_Char* pString = new sal_Char[ nItemSize ];
-+ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
- {
+- {
- sal_Unicode* pWString = (sal_Unicode*)pString;
- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
- *this >> pWString[ i ];
@@ -71,10 +50,13 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
- bRetValue = sal_True;
- }
- else
-- {
++ try
+ {
- SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
- if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
-- {
++ sal_Char* pString = new sal_Char[ nItemSize ];
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+ {
- if ( (sal_uInt16)nItemSize > 1 )
- rString = String( ByteString( pString ), mnTextEnc );
+ nItemSize >>= 1;
@@ -102,16 +84,16 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ }
+ }
+ delete[] pString;
- }
-- delete[] pString;
++ }
+ catch( const std::bad_alloc& )
+ {
+ DBG_ERROR( "sd PropItem::Read bad alloc" );
-+ }
+ }
+- delete[] pString;
}
if ( bAlign )
SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 ); // dword align
-@@ -148,18 +167,25 @@
+@@ -151,18 +170,25 @@
{
if ( nItemSize )
{
@@ -138,16 +120,16 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ bRetValue = sal_True;
+ }
+ delete[] pString;
- }
-- delete[] pString;
++ }
+ catch( const std::bad_alloc& )
+ {
+ DBG_ERROR( "sd PropItem::Read bad alloc" );
-+ }
+ }
+- delete[] pString;
}
if ( bAlign && ( nItemSize & 1 ) )
SeekRel( 2 ); // dword align
-@@ -349,24 +375,31 @@
+@@ -352,24 +378,31 @@
for ( sal_uInt32 i = 0; i < nDictCount; i++ )
{
aStream >> nId >> nSize;
@@ -159,14 +141,15 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
- sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
- aStream.Read( pString, (sal_uInt16)nSize );
- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-+ try
- {
+- {
- nSize >>= 1;
- aStream.Seek( nPos );
- sal_Unicode* pWString = (sal_Unicode*)pString;
- for ( i = 0; i < (sal_uInt16)nSize; i++ )
- aStream >> pWString[ i ];
- aString = String( pWString, (sal_uInt16)nSize - 1 );
++ try
++ {
+ sal_Char* pString = new sal_Char[ nSize ];
+ aStream.Read( pString, nSize );
+ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
@@ -181,18 +164,18 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ else
+ aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
+ delete[] pString;
++ }
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
}
- else
- aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
- delete[] pString;
-+ catch( const std::bad_alloc& )
-+ {
-+ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
-+ }
if ( !aString.Len() )
break;
aDict.AddProperty( nId, aString );
-@@ -500,6 +533,11 @@
+@@ -503,6 +536,11 @@
}
if ( nPropSize )
{
@@ -207,7 +190,7 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
diff -r 5b1ceed28385 tools/source/generic/poly.cxx
--- a/tools/source/generic/poly.cxx Fri Aug 06 14:53:07 2010 +0200
+++ b/tools/source/generic/poly.cxx Mon Aug 09 14:04:21 2010 +0200
-@@ -243,6 +243,11 @@
+@@ -246,6 +246,11 @@
void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon* pInitPoly )
{
const ULONG nSpaceSize = nSpace * sizeof( Point );
More information about the scm-commits
mailing list