[openoffice.org/f12/master] Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
Caolan McNamara
caolanm at fedoraproject.org
Thu Aug 12 11:20:24 UTC 2010
commit 1bc9c8b59a5ca242291fe82ae62b6db92bb79913
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 12 12:20:21 2010 +0100
Resolves: rhbz#623609 CVE-2010-2935 CVE-2010-2936
workspace.impress197.patch | 75 +++++++++++++++++---------------------------
1 files changed, 29 insertions(+), 46 deletions(-)
---
diff --git a/workspace.impress197.patch b/workspace.impress197.patch
index dee04ef..aa3a2f1 100644
--- a/workspace.impress197.patch
+++ b/workspace.impress197.patch
@@ -1,25 +1,7 @@
-changeset: 271161:892165edd2a7
-user: Christian Lippka <christian.lippka at sun.com>
-date: Wed Aug 04 10:48:35 2010 +0200
-summary: #i113603# only change layout shape size on init or of user call is set
-
-diff -r adad3ddc53f1 -r 892165edd2a7 sd/source/core/sdpage.cxx
---- a/sd/source/core/sdpage.cxx Tue Jul 27 13:55:29 2010 +0200
-+++ b/sd/source/core/sdpage.cxx Wed Aug 04 10:48:35 2010 +0200
-@@ -2355,7 +2355,7 @@
- }
- }
-
-- if ( pObj && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
-+ if ( pObj && (pObj->GetUserCall() || bInit) && ( pObj->IsEmptyPresObj() || !pObj->ISA(SdrGrafObj) ) )
- pObj->AdjustToMaxRect( aRect );
-
- return pObj;
-
-diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
---- a/sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
-+++ b/sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
-@@ -29,6 +29,7 @@
+diff -r 5b1ceed28385 sd/source/filter/propread.cxx
+--- a/sd/source/filter/propread.cxx Fri Aug 06 14:53:07 2010 +0200
++++ b/sd/source/filter/propread.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -32,6 +32,7 @@
#include "precompiled_sd.hxx"
#include <propread.hxx>
#include <tools/bigint.hxx>
@@ -27,7 +9,7 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
#include "rtl/tencinfo.h"
#include "rtl/textenc.h"
-@@ -90,6 +91,17 @@
+@@ -93,6 +94,17 @@
// -----------------------------------------------------------------------
@@ -45,7 +27,7 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
{
sal_uInt32 i, nItemSize, nType, nItemPos;
-@@ -108,36 +120,43 @@
+@@ -111,36 +123,43 @@
{
case VT_LPSTR :
{
@@ -54,13 +36,10 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
{
- sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-+ try
- {
+- {
- nItemSize >>= 1;
- if ( (sal_uInt16)nItemSize > 1 )
-+ sal_Char* pString = new sal_Char[ nItemSize ];
-+ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
- {
+- {
- sal_Unicode* pWString = (sal_Unicode*)pString;
- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
- *this >> pWString[ i ];
@@ -71,10 +50,13 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
- bRetValue = sal_True;
- }
- else
-- {
++ try
+ {
- SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
- if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
-- {
++ sal_Char* pString = new sal_Char[ nItemSize ];
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+ {
- if ( (sal_uInt16)nItemSize > 1 )
- rString = String( ByteString( pString ), mnTextEnc );
+ nItemSize >>= 1;
@@ -102,16 +84,16 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ }
+ }
+ delete[] pString;
- }
-- delete[] pString;
++ }
+ catch( const std::bad_alloc& )
+ {
+ DBG_ERROR( "sd PropItem::Read bad alloc" );
-+ }
+ }
+- delete[] pString;
}
if ( bAlign )
SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 ); // dword align
-@@ -148,18 +167,25 @@
+@@ -151,18 +170,25 @@
{
if ( nItemSize )
{
@@ -138,16 +120,16 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ bRetValue = sal_True;
+ }
+ delete[] pString;
- }
-- delete[] pString;
++ }
+ catch( const std::bad_alloc& )
+ {
+ DBG_ERROR( "sd PropItem::Read bad alloc" );
-+ }
+ }
+- delete[] pString;
}
if ( bAlign && ( nItemSize & 1 ) )
SeekRel( 2 ); // dword align
-@@ -349,24 +375,31 @@
+@@ -352,24 +378,31 @@
for ( sal_uInt32 i = 0; i < nDictCount; i++ )
{
aStream >> nId >> nSize;
@@ -159,14 +141,15 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
- sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
- aStream.Read( pString, (sal_uInt16)nSize );
- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-+ try
- {
+- {
- nSize >>= 1;
- aStream.Seek( nPos );
- sal_Unicode* pWString = (sal_Unicode*)pString;
- for ( i = 0; i < (sal_uInt16)nSize; i++ )
- aStream >> pWString[ i ];
- aString = String( pWString, (sal_uInt16)nSize - 1 );
++ try
++ {
+ sal_Char* pString = new sal_Char[ nSize ];
+ aStream.Read( pString, nSize );
+ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
@@ -181,18 +164,18 @@ diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+ else
+ aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
+ delete[] pString;
++ }
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
}
- else
- aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
- delete[] pString;
-+ catch( const std::bad_alloc& )
-+ {
-+ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
-+ }
if ( !aString.Len() )
break;
aDict.AddProperty( nId, aString );
-@@ -500,6 +533,11 @@
+@@ -503,6 +536,11 @@
}
if ( nPropSize )
{
More information about the scm-commits
mailing list