[openoffice.org/f13/master] CVE-2010-3450, CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, CVE-2010-3689, CVE-2010-4
Caolan McNamara
caolanm at fedoraproject.org
Thu Jan 27 09:02:01 UTC 2011
commit 0e950269c08db3ba54b07f2abcd23e43b91df2e5
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Jan 27 09:01:49 2011 +0000
CVE-2010-3450, CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454, CVE-2010-3689, CVE-2010-4253, CVE-2010-4643
openoffice.org.spec | 16 +++-
workspace.hb22.patch | 296 ++++++++++++++++++++++++++++++++++++++++++++
workspace.impress208.patch | 112 +++++++++++++++++
workspace.mav56.patch | 200 ++++++++++++++++++++++++++++++
workspace.os145.patch | 122 ++++++++++++++++++
5 files changed, 745 insertions(+), 1 deletions(-)
---
diff --git a/openoffice.org.spec b/openoffice.org.spec
index f41ecb3..6f0689d 100644
--- a/openoffice.org.spec
+++ b/openoffice.org.spec
@@ -185,6 +185,10 @@ Patch114: 0001-rhbz-648475-crash-in-scanner-dialog-reset-link-in-dt.patch
Patch115: 0001-Resolves-rhbz-657628-divide-by-zero.patch
Patch116: 0001-Resolves-rhbz-657718-Crash-in-SwObjectFormatterTxtFr.patch
Patch117: workspace.jl155.patch
+Patch118: workspace.mav56.patch
+Patch119: workspace.hb22.patch
+Patch120: workspace.os145.patch
+Patch121: workspace.impress208.patch
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%define instdir %{_libdir}
@@ -1800,6 +1804,10 @@ cp -p %{SOURCE5} external/unowinreg/unowinreg.dll
%patch115 -p1 -b .rhbz-657628-divide-by-zero.patch
%patch116 -p1 -b .rhbz-657718-Crash-in-SwObjectFormatterTxtFr.patch
%patch117 -p1 -b .workspace.jl155.patch
+%patch118 -p1 -b .workspace.mav56.patch
+%patch119 -p1 -b .workspace.hb22.patch
+%patch120 -p1 -b .workspace.os145.patch
+%patch121 -p1 -b .workspace.impress208.patch
%build
echo build start time is `date`, diskspace: `df -h . | tail -n 1`
@@ -4285,7 +4293,13 @@ fi
%endif
%changelog
-* Tue Dec 16 2010 Caolán McNamara <caolanm at redhat.com>- 1:3.2.0-12.35-UNBUILT
+* Thu Jan 27 2011 Caolán McNamara <caolanm at redhat.com>- 1:3.2.0-12.35
+- CVE-2010-3450 Extensions and filter package files
+- CVE-2010-3451 / CVE-2010-3452 RTF documents
+- CVE-2010-3453 / CVE-2010-3454 Word documents
+- CVE-2010-3689 LD_LIBRARY_PATH usage
+- CVE-2010-4253 PNG graphics
+- CVE-2010-4643 TGA graphics
- Resolves: rhbz#648475 Crash in scanner dialog
- Resolves: rhbz#657628 divide-by-zero
- Resolves: rhbz#657718 Crash in SwObjectFormatterTxtFrm
diff --git a/workspace.hb22.patch b/workspace.hb22.patch
new file mode 100644
index 0000000..7cb7e0c
--- /dev/null
+++ b/workspace.hb22.patch
@@ -0,0 +1,296 @@
+import workspace.hb22.patch
+
+diff -r f05c22a99382 binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx
+--- a/binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -273,7 +273,13 @@
+ SwEndNode* pEndNd = new SwEndNode( aEndIdx, *pSttNd );
+
+ pPrvBox = new SwTableBox( pBoxFmt, *pSttNd, pLine );
+- pLine->GetTabBoxes().C40_INSERT( SwTableBox, pPrvBox, nInsPos + n );
++
++ SwTableBoxes & rTabBoxes = pLine->GetTabBoxes();
++ USHORT nRealInsPos = nInsPos + n;
++ if (nRealInsPos > rTabBoxes.Count())
++ nRealInsPos = rTabBoxes.Count();
++
++ rTabBoxes.C40_INSERT( SwTableBox, pPrvBox, nRealInsPos );
+
+ if( NO_NUMBERING == pTxtColl->GetOutlineLevel()
+ //FEATURE::CONDCOLL
+diff -r f05c22a99382 desktop/scripts/soffice.sh
+--- a/desktop/scripts/soffice.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/desktop/scripts/soffice.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -95,7 +95,7 @@
+ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
+ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
+ if [ -n "$my_path" ] ; then
+- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+ export LD_LIBRARY_PATH
+ fi
+ fi
+diff -r f05c22a99382 desktop/scripts/unopkg.sh
+--- a/desktop/scripts/unopkg.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/desktop/scripts/unopkg.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -84,7 +84,7 @@
+ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
+ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
+ if [ -n "$my_path" ] ; then
+- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+ export LD_LIBRARY_PATH
+ fi
+ fi
+diff -r f05c22a99382 padmin/source/spadmin.sh
+--- a/padmin/source/spadmin.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/padmin/source/spadmin.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -57,7 +57,7 @@
+ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
+ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
+ if [ -n "$my_path" ] ; then
+- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+ export LD_LIBRARY_PATH
+ fi
+ fi
+diff -r f05c22a99382 pyuno/zipcore/python.sh
+--- a/pyuno/zipcore/python.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/pyuno/zipcore/python.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -44,7 +44,7 @@
+ export PATH
+
+ # Set LD_LIBRARY_PATH so that "import pyuno" finds libpyuno.so:
+-LD_LIBRARY_PATH=$sd_prog/../basis-link/program:$sd_prog/../basis-link/ure-link/lib${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
++LD_LIBRARY_PATH=$sd_prog/../basis-link/program:$sd_prog/../basis-link/ure-link/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+ export LD_LIBRARY_PATH
+
+ # Set UNO_PATH so that "officehelper.bootstrap()" can find soffice executable:
+diff -r f05c22a99382 solenv/bin/checkdll.sh
+--- a/solenv/bin/checkdll.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/solenv/bin/checkdll.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -42,7 +42,7 @@
+ -L) shift; option=$1;;
+ --) break;;
+ esac
+- case "${libpath+X}" in
++ case "${libpath:+X}" in
+ X) libpath=$libpath:$option;;
+ *) libpath=$option;;
+ esac
+@@ -51,22 +51,22 @@
+ shift # remove the trailing ---
+
+ case `uname -s` in
+- Darwin) case "${DYLD_LIBRARY_PATH+X}" in
++ Darwin) case "${DYLD_LIBRARY_PATH:+X}" in
+ X) DYLD_LIBRARY_PATH=$libpath:$DYLD_LIBRARY_PATH;;
+ *) DYLD_LIBRARY_PATH=$libpath;;
+ esac
+ export DYLD_LIBRARY_PATH;;
+- IRIX) case "${LD_LIBRARYN32_PATH+X}" in
++ IRIX) case "${LD_LIBRARYN32_PATH:+X}" in
+ X) LD_LIBRARYN32_PATH=$libpath:$LD_LIBRARYN32_PATH;;
+ *) LD_LIBRARYN32_PATH=$libpath;;
+ esac
+ export LD_LIBRARYN32_PATH;;
+- IRIX64) case "${LD_LIBRARYN32_PATH+X}" in
++ IRIX64) case "${LD_LIBRARYN32_PATH:+X}" in
+ X) LD_LIBRARYN32_PATH=$libpath:$LD_LIBRARYN32_PATH;;
+ *) LD_LIBRARYN32_PATH=$libpath;;
+ esac
+ export LD_LIBRARYN32_PATH;;
+- *) case "${LD_LIBRARY_PATH+X}" in
++ *) case "${LD_LIBRARY_PATH:+X}" in
+ X) LD_LIBRARY_PATH=$libpath:$LD_LIBRARY_PATH;;
+ *) LD_LIBRARY_PATH=$libpath;;
+ esac
+diff -r f05c22a99382 solenv/bin/localize
+--- a/solenv/bin/localize Tue Aug 10 11:05:20 2010 +0200
++++ b/solenv/bin/localize Wed Oct 13 12:56:23 2010 +0200
+@@ -7,9 +7,9 @@
+ # localize.pl calls localize_sl in solver bin directory which depends on dynamic
+ # libraries in solver lib directory but has no correct RPATH (or equivalent):
+ if [ "${OS?}" = MACOSX ]; then
+- export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH+${DYLD_LIBRARY_PATH}:}${SOLARVERSION?}/${INPATH?}/lib${UPDMINOREXT}
++ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH:+${DYLD_LIBRARY_PATH}:}${SOLARVERSION?}/${INPATH?}/lib${UPDMINOREXT}
+ else
+- export LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${SOLARVERSION?}/${INPATH?}/lib${UPDMINOREXT}
++ export LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${SOLARVERSION?}/${INPATH?}/lib${UPDMINOREXT}
+ fi
+
+ if [ x${SOLARVER}x = xx -o x${UPDMINOR}x = xx ]; then
+diff -r f05c22a99382 solenv/bin/rpm-wrapper
+--- a/solenv/bin/rpm-wrapper Tue Aug 10 11:05:20 2010 +0200
++++ b/solenv/bin/rpm-wrapper Wed Oct 13 12:56:23 2010 +0200
+@@ -35,9 +35,9 @@
+ set -e
+ if [ "$OUTPATH" = "unxlngi6" ]
+ then
+-LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${LIBRARY_PATH?} \
++LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${LIBRARY_PATH?} \
+ ${BUILD_TOOLS?}/rpmbuild "$@"
+ else
+-LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
++LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
+ ${BUILD_TOOLS?}/rpm "$@"
+ fi
+diff -r f05c22a99382 solenv/bin/soirpm.sh
+--- a/solenv/bin/soirpm.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/solenv/bin/soirpm.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -28,5 +28,5 @@
+ LIBRPMBUILD=$(find ${COMPATH} -name 'librpmbuild-4.1*' -print)
+ # echo $(dirname $LIBRPMBUILD)
+ LD_LIBRARY_PATH=$(dirname ${LIBRPMBUILD}) ${BUILD_TOOLS?}/rpm "$@"
+-# LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
++# LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
+ # ${BUILD_TOOLS?}/rpm "$@"
+diff -r f05c22a99382 svx/source/gengal/gengal.sh
+--- a/svx/source/gengal/gengal.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/svx/source/gengal/gengal.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -62,27 +62,27 @@
+ sd_platform=`uname -s`
+ case $sd_platform in
+ AIX)
+- LIBPATH=${sd_prog}${LIBPATH+:${LIBPATH}}
++ LIBPATH=${sd_prog}${LIBPATH:+:${LIBPATH}}
+ export LIBPATH
+ ;;
+
+ Darwin)
+- DYLD_LIBRARY_PATH=${sd_prog}${DYLD_LIBRARY_PATH+:${DYLD_LIBRARY_PATH}}
++ DYLD_LIBRARY_PATH=${sd_prog}${DYLD_LIBRARY_PATH:+:${DYLD_LIBRARY_PATH}}
+ export DYLD_LIBRARY_PATH
+ ;;
+
+ HP-UX)
+- SHLIB_PATH=${sd_prog}:/usr/openwin/lib${SHLIB_PATH+:${SHLIB_PATH}}
++ SHLIB_PATH=${sd_prog}:/usr/openwin/lib${SHLIB_PATH:+:${SHLIB_PATH}}
+ export SHLIB_PATH
+ ;;
+
+ IRIX*)
+- LD_LIBRARYN32_PATH=${sd_prog}${LD_LIBRARYN32_PATH+:${LD_LIBRARYN32_PATH}}
++ LD_LIBRARYN32_PATH=${sd_prog}${LD_LIBRARYN32_PATH:+:${LD_LIBRARYN32_PATH}}
+ export LD_LIBRARYN32_PATH
+ ;;
+
+ *)
+- LD_LIBRARY_PATH=${sd_prog}${LD_LIBRARY_PATH+:${LD_LIBRARY_PATH}}
++ LD_LIBRARY_PATH=${sd_prog}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
+ export LD_LIBRARY_PATH
+ ;;
+ esac
+diff -r f05c22a99382 sw/source/core/doc/number.cxx
+--- a/sw/source/core/doc/number.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/sw/source/core/doc/number.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -101,8 +101,15 @@
+
+ const SwNumFmt* SwNumRule::GetNumFmt( USHORT i ) const
+ {
+- ASSERT_ID( i < MAXLEVEL && eRuleType < RULE_END, ERR_NUMLEVEL);
+- return aFmts[ i ];
++ const SwNumFmt * pResult = NULL;
++
++ ASSERT_ID( i < MAXLEVEL && eRuleType < RULE_END, ERR_NUMLEVEL);
++ if ( i < MAXLEVEL && eRuleType < RULE_END)
++ {
++ pResult = aFmts[ i ];
++ }
++
++ return pResult;
+ }
+
+ // --> OD 2008-07-08 #i91400#
+diff -r f05c22a99382 sw/source/core/docnode/ndtbl.cxx
+--- a/sw/source/core/docnode/ndtbl.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/sw/source/core/docnode/ndtbl.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -335,7 +335,13 @@
+ new SwEndNode( aEndIdx, *pSttNd );
+
+ pPrvBox = new SwTableBox( pBoxFmt, *pSttNd, pLine );
+- pLine->GetTabBoxes().C40_INSERT( SwTableBox, pPrvBox, nInsPos + n );
++
++ SwTableBoxes & rTabBoxes = pLine->GetTabBoxes();
++ USHORT nRealInsPos = nInsPos + n;
++ if (nRealInsPos > rTabBoxes.Count())
++ nRealInsPos = rTabBoxes.Count();
++
++ rTabBoxes.C40_INSERT( SwTableBox, pPrvBox, nRealInsPos );
+
+ //if( NO_NUMBERING == pTxtColl->GetOutlineLevel()//#outline level,zhaojianwei
+ if( ! pTxtColl->IsAssignedToListLevelOfOutlineStyle()//<-end,zhaojianwei
+diff -r f05c22a99382 sw/source/filter/rtf/rtfnum.cxx
+--- a/sw/source/filter/rtf/rtfnum.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/sw/source/filter/rtf/rtfnum.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -806,8 +806,8 @@
+ // suche die Rule - steht unter Nummer 3
+ nListNo = 3;
+ bContinus = FALSE;
+- nLevel = MAXLEVEL <= nTokenValue ? MAXLEVEL - 1
+- : BYTE( nTokenValue - 1 );
++ nLevel = MAXLEVEL <= (unsigned long) nTokenValue ? MAXLEVEL - 1
++ : (!nTokenValue ? 0 : BYTE( nTokenValue - 1 ));
+ }
+ else
+ {
+@@ -815,9 +815,9 @@
+ {
+ case RTF_PNLVL: nListNo = 3;
+ bContinus = FALSE;
+- nLevel = MAXLEVEL <= nTokenValue
++ nLevel = MAXLEVEL <= (unsigned long) nTokenValue
+ ? MAXLEVEL - 1
+- : BYTE( nTokenValue-1 );
++ : (!nTokenValue ? 0 : BYTE( nTokenValue-1 ));
+ break;
+
+ case RTF_PNLVLBODY:
+diff -r f05c22a99382 sw/source/filter/ww8/ww8par3.cxx
+--- a/sw/source/filter/ww8/ww8par3.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/sw/source/filter/ww8/ww8par3.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -1402,7 +1402,9 @@
+ pLFOInfo->pNumRule->Set(aLFOLVL.nLevel, aNumFmt);
+ }
+ bLVLOk = true;
+- pLFOInfo->maOverrides[aLFOLVL.nLevel] = aLFOLVL;
++
++ if (nMaxLevel > aLFOLVL.nLevel)
++ pLFOInfo->maOverrides[aLFOLVL.nLevel] = aLFOLVL;
+ }
+ if( !bLVLOk )
+ break;
+diff -r f05c22a99382 sw/source/filter/ww8/ww8scan.cxx
+--- a/sw/source/filter/ww8/ww8scan.cxx Tue Aug 10 11:05:20 2010 +0200
++++ b/sw/source/filter/ww8/ww8scan.cxx Wed Oct 13 12:56:23 2010 +0200
+@@ -7178,8 +7178,16 @@
+ for (i=0; i < nMaxLeading; ++i)
+ rgxchLPunct[i] = Get_Short(pData);
+
+- rgxchFPunct[cchFollowingPunct]=0;
+- rgxchLPunct[cchLeadingPunct]=0;
++ if (cchFollowingPunct >= 0 && cchFollowingPunct < nMaxFollowing)
++ rgxchFPunct[cchFollowingPunct]=0;
++ else
++ rgxchFPunct[nMaxFollowing - 1]=0;
++
++ if (cchLeadingPunct >= 0 && cchLeadingPunct < nMaxLeading)
++ rgxchLPunct[cchLeadingPunct]=0;
++ else
++ rgxchLPunct[nMaxLeading - 1]=0;
++
+ }
+
+ void WW8DopTypography::WriteToMem(BYTE *&pData) const
+diff -r f05c22a99382 ure/source/startup.sh
+--- a/ure/source/startup.sh Tue Aug 10 11:05:20 2010 +0200
++++ b/ure/source/startup.sh Wed Oct 13 12:56:23 2010 +0200
+@@ -39,7 +39,7 @@
+ if [ -x "${epath}/javaldx" ] ; then
+ jpath=`"${epath}/javaldx" $my_envargs`
+ if [ -n "${jpath}" ]; then
+- LD_LIBRARY_PATH=${jpath}${LD_LIBRARY_PATH+:${LD_LIBRARY_PATH}}
++ LD_LIBRARY_PATH=${jpath}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
+ export LD_LIBRARY_PATH
+ fi
+ fi
diff --git a/workspace.impress208.patch b/workspace.impress208.patch
new file mode 100644
index 0000000..2ab207b
--- /dev/null
+++ b/workspace.impress208.patch
@@ -0,0 +1,112 @@
+
+# HG changeset patch
+# User Christian Lippka ORACLE <christian.lippka at oracle.com>
+# Date 1294074253 -3600
+# Node ID 29638e31d01685727edd4569dd2438f914cdf538
+# Parent a21d317bfa71988ffe2d6987083fd91f2f338800
+impress208: #164349# fixed possible heap overflow when reading manipulated TGA images
+
+diff -r a21d317bfa71 -r 29638e31d016 filter/source/graphicfilter/itga/itga.cxx
+--- a/goodies/source/filter.vcl/itga/itga.cxx Mon Jan 03 17:59:57 2011 +0100
++++ b/goodies/source/filter.vcl/itga/itga.cxx Mon Jan 03 18:04:13 2011 +0100
+@@ -338,6 +338,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -360,6 +363,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -387,6 +393,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -407,6 +416,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -440,6 +452,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -457,6 +472,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -483,6 +501,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -500,6 +521,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -528,6 +552,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+@@ -548,6 +575,9 @@
+ nXCount = 0;
+ nY += nYAdd;
+ nYCount++;
++
++ if( nYCount >= mpFileHeader->nImageHeight )
++ return false; // invalid picture
+ }
+ }
+ }
+
diff --git a/workspace.mav56.patch b/workspace.mav56.patch
new file mode 100644
index 0000000..84561c1
--- /dev/null
+++ b/workspace.mav56.patch
@@ -0,0 +1,200 @@
+
+# HG changeset patch
+# User Mikhail Voytenko <mav at openoffice.org>
+# Date 1281431120 -7200
+# Node ID 1efb7f54e7188baa10e280652b0e4762f55025a9
+# Parent f185ef1693f702c5b0e4ae1439020c7e13b1d1e5
+mav56: #163253# tread invalid path segments correctly
+
+diff -r f185ef1693f7 comphelper/inc/comphelper/storagehelper.hxx
+--- a/comphelper/inc/comphelper/storagehelper.hxx Tue Aug 03 14:12:26 2010 +0200
++++ b/comphelper/inc/comphelper/storagehelper.hxx Wed Oct 13 12:37:34 2010 +0200
+@@ -158,6 +158,8 @@
+
+ static sal_Bool IsValidZipEntryFileName( const ::rtl::OUString& aName, sal_Bool bSlashAllowed );
+ static sal_Bool IsValidZipEntryFileName( const sal_Unicode *pChar, sal_Int32 nLength, sal_Bool bSlashAllowed );
++
++ static sal_Bool PathHasSegment( const ::rtl::OUString& aPath, const ::rtl::OUString& aSegment );
+ };
+
+ }
+diff -r f185ef1693f7 comphelper/source/misc/storagehelper.cxx
+--- a/comphelper/source/misc/storagehelper.cxx Tue Aug 03 14:12:26 2010 +0200
++++ b/comphelper/source/misc/storagehelper.cxx Wed Oct 13 12:37:34 2010 +0200
+@@ -431,5 +431,36 @@
+ return sal_True;
+ }
+
++// ----------------------------------------------------------------------
++sal_Bool OStorageHelper::PathHasSegment( const ::rtl::OUString& aPath, const ::rtl::OUString& aSegment )
++{
++ sal_Bool bResult = sal_False;
++ const sal_Int32 nPathLen = aPath.getLength();
++ const sal_Int32 nSegLen = aSegment.getLength();
++
++ if ( nSegLen && nPathLen >= nSegLen )
++ {
++ ::rtl::OUString aEndSegment( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ aEndSegment += aSegment;
++
++ ::rtl::OUString aInternalSegment( aEndSegment );
++ aInternalSegment += ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++
++ if ( aPath.indexOf( aInternalSegment ) >= 0 )
++ bResult = sal_True;
++
++ if ( !bResult && !aPath.compareTo( aSegment, nSegLen ) )
++ {
++ if ( nPathLen == nSegLen || aPath.getStr()[nSegLen] == (sal_Unicode)'/' )
++ bResult = sal_True;
++ }
++
++ if ( !bResult && nPathLen > nSegLen && aPath.copy( nPathLen - nSegLen - 1, nSegLen + 1 ).equals( aEndSegment ) )
++ bResult = sal_True;
++ }
++
++ return bResult;
+ }
+
++}
++
+diff -r f185ef1693f7 filter/source/xsltdialog/xmlfilterjar.cxx
+--- a/filter/source/xsltdialog/xmlfilterjar.cxx Tue Aug 03 14:12:26 2010 +0200
++++ b/filter/source/xsltdialog/xmlfilterjar.cxx Wed Oct 13 12:37:34 2010 +0200
+@@ -101,6 +101,10 @@
+
+ static Reference< XInterface > addFolder( Reference< XInterface >& xRootFolder, Reference< XSingleServiceFactory >& xFactory, const OUString& rName ) throw( Exception )
+ {
++ if ( rName.equals( OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
++ || rName.equals( OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
++ throw lang::IllegalArgumentException();
++
+ Sequence< Any > aArgs(1);
+ aArgs[0] <<= (sal_Bool)sal_True;
+
+@@ -362,6 +366,10 @@
+ {
+ OUString szPackagePath( encodeZipUri( rURL.copy( sVndSunStarPackage.getLength() ) ) );
+
++ if ( ::comphelper::OStorageHelper::PathHasSegment( szPackagePath, OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
++ || ::comphelper::OStorageHelper::PathHasSegment( szPackagePath, OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
++ throw lang::IllegalArgumentException();
++
+ if( xIfc->hasByHierarchicalName( szPackagePath ) )
+ {
+ Reference< XActiveDataSink > xFileEntry;
+diff -r f185ef1693f7 ucb/source/ucp/package/makefile.mk
+--- a/ucb/source/ucp/package/makefile.mk Tue Aug 03 14:12:26 2010 +0200
++++ b/ucb/source/ucp/package/makefile.mk Wed Oct 13 12:37:34 2010 +0200
+@@ -68,6 +68,7 @@
+ SHL1VERSIONMAP=exports.map
+
+ SHL1STDLIBS=\
++ $(COMPHELPERLIB) \
+ $(CPPUHELPERLIB) \
+ $(CPPULIB) \
+ $(SALLIB) \
+diff -r f185ef1693f7 ucb/source/ucp/package/pkguri.cxx
+--- a/ucb/source/ucp/package/pkguri.cxx Tue Aug 03 14:12:26 2010 +0200
++++ b/ucb/source/ucp/package/pkguri.cxx Wed Oct 13 12:37:34 2010 +0200
+@@ -36,6 +36,7 @@
+
+ #include "rtl/ustrbuf.hxx"
+ #include "osl/diagnose.h"
++#include "comphelper/storagehelper.hxx"
+
+ #include "../inc/urihelper.hxx"
+
+@@ -85,7 +86,7 @@
+ if ( ( m_aUri.getLength() < PACKAGE_URL_SCHEME_LENGTH + 4 ) )
+ {
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ return;
+ }
+
+@@ -100,7 +101,7 @@
+ != sal_Unicode( '/' ) ) )
+ {
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ return;
+ }
+
+@@ -128,8 +129,8 @@
+ {
+ m_aParam +=
+ ( m_aParam.getLength()
+- ? ::rtl::OUString::createFromAscii( "&purezip" )
+- : ::rtl::OUString::createFromAscii( "?purezip" ) );
++ ? ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "&purezip" ) )
++ : ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "?purezip" ) ) );
+ }
+
+ aPureUri = aPureUri.replaceAt( 0,
+@@ -143,7 +144,7 @@
+ // Only <scheme>:/// - Empty authority
+
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ return;
+ }
+ else if ( nEnd == ( aPureUri.getLength() - 1 ) )
+@@ -154,7 +155,7 @@
+ // Only <scheme>://// or <scheme>://<something>//
+
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ return;
+ }
+
+@@ -175,7 +176,7 @@
+ nStart, aPureUri.getLength() - nStart, aNormPackage );
+ m_aPackage
+ = ::ucb_impl::urihelper::decodeSegment( aNormPackage );
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ m_aUri = m_aUri.replaceAt( 0,
+ ( nParam >= 0 )
+ ? nParam
+@@ -193,16 +194,19 @@
+ {
+ m_aPath = aPureUri.copy( nEnd + 1 );
+
+- // Empty path segments or encoded slashes?
+- if ( m_aPath.indexOf(
+- rtl::OUString::createFromAscii( "//" ) ) != -1
+- || m_aPath.indexOf(
+- rtl::OUString::createFromAscii( "%2F" ) ) != -1
+- || m_aPath.indexOf(
+- rtl::OUString::createFromAscii( "%2f" ) ) != -1 )
++ // Unexpected sequences of characters:
++ // - empty path segments
++ // - encoded slashes
++ // - parent folder segments ".."
++ // - current folder segments "."
++ if ( m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "//" ) ) ) != -1
++ || m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "%2F" ) ) ) != -1
++ || m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "%2f" ) ) ) != -1
++ || ::comphelper::OStorageHelper::PathHasSegment( m_aPath, ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
++ || ::comphelper::OStorageHelper::PathHasSegment( m_aPath, ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
+ {
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ return;
+ }
+
+@@ -239,7 +243,7 @@
+ else
+ {
+ // error, but remember that we did a init().
+- m_aPath = rtl::OUString::createFromAscii( "/" );
++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+ }
+ }
+ }
diff --git a/workspace.os145.patch b/workspace.os145.patch
new file mode 100644
index 0000000..cca1fb3
--- /dev/null
+++ b/workspace.os145.patch
@@ -0,0 +1,122 @@
+
+# HG changeset patch
+# User sj <sj at openoffice.org>
+# Date 1290448824 -3600
+# Node ID 87199810ffc4e6b411da0ec2442aa278ab036e2e
+# Parent a44f9eb0f28654c982f7ebeb8c8d7eac1de5c79f
+os145: #b7001886# fixing small ppt import problem, improving png reader
+
+diff -r a44f9eb0f286 svx/source/svdraw/svdfppt.cxx
+--- a/svx/source/svdraw/svdfppt.cxx Wed Dec 01 12:03:10 2010 +0100
++++ b/svx/source/svdraw/svdfppt.cxx Wed Dec 01 12:06:40 2010 +0100
+@@ -1469,12 +1469,16 @@
+
+ if ( bOk )
+ {
+- // PersistPtrs lesen (alle)
+- nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1; // 1 mehr, damit ich immer direkt indizieren kann
+- pPersistPtr = new UINT32[ nPersistPtrAnz ]; // (die fangen naemlich eigentlich bei 1 an)
++ nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;
++ if ( ( nPersistPtrAnz >> 2 ) > nStreamLen ) // sj: at least nPersistPtrAnz is not allowed to be greater than filesize
++ bOk = FALSE; // (it should not be greater than the PPT_PST_PersistPtrIncrementalBlock, but
++ // we are reading this block later, so we do not have access yet)
++
++ if ( bOk && ( nPersistPtrAnz < ( SAL_MAX_UINT32 / sizeof( UINT32 ) ) ) )
++ pPersistPtr = new (std::nothrow) UINT32[ nPersistPtrAnz ];
+ if ( !pPersistPtr )
+ bOk = FALSE;
+- else
++ if ( bOk )
+ {
+ memset( pPersistPtr, 0x00, nPersistPtrAnz * 4 );
+
+@@ -5086,6 +5090,10 @@
+ rIn >> nCharCount
+ >> aParaPropSet.pParaSet->mnDepth; // Einruecktiefe
+
++ aParaPropSet.pParaSet->mnDepth = // taking care of about using not more than 9 outliner levels
++ std::min(sal_uInt16(8),
++ aParaPropSet.pParaSet->mnDepth);
++
+ nCharCount--;
+
+ rIn >> nMask;
+diff -r a44f9eb0f286 vcl/source/gdi/pngread.cxx
+--- a/vcl/source/gdi/pngread.cxx Wed Dec 01 12:03:10 2010 +0100
++++ b/vcl/source/gdi/pngread.cxx Wed Dec 01 12:06:40 2010 +0100
+@@ -411,7 +411,9 @@
+
+ case PNGCHUNK_IDAT :
+ {
+- if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
++ if ( !mpInflateInBuf ) // taking care that the header has properly been read
++ mbStatus = FALSE;
++ else if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
+ ImplReadIDAT();
+ }
+ break;
+@@ -527,7 +529,7 @@
+ mbIDAT = mbAlphaChannel = mbTransparent = FALSE;
+ mbGrayScale = mbRGBTriple = FALSE;
+ mnTargetDepth = mnPngDepth;
+- mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3;
++ sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
+
+ // valid color types are 0,2,3,4 & 6
+ switch ( mnColorType )
+@@ -557,7 +559,7 @@
+ case 2 : // each pixel is an RGB triple
+ {
+ mbRGBTriple = TRUE;
+- mnScansize *= 3;
++ nScansize64 *= 3;
+ switch ( mnPngDepth )
+ {
+ case 16 : // we have to reduce the bitmap
+@@ -590,7 +592,7 @@
+
+ case 4 : // each pixel is a grayscale sample followed by an alpha sample
+ {
+- mnScansize *= 2;
++ nScansize64 *= 2;
+ mbAlphaChannel = TRUE;
+ switch ( mnPngDepth )
+ {
+@@ -608,7 +610,7 @@
+ case 6 : // each pixel is an RGB triple followed by an alpha sample
+ {
+ mbRGBTriple = TRUE;
+- mnScansize *= 4;
++ nScansize64 *= 4;
+ mbAlphaChannel = TRUE;
+ switch (mnPngDepth )
+ {
+@@ -626,16 +628,24 @@
+ return FALSE;
+ }
+
+- mnBPP = mnScansize / maOrigSize.Width();
++ mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() );
+ if ( !mnBPP )
+ mnBPP = 1;
+
+- mnScansize++; // each scanline includes one filterbyte
++ nScansize64++; // each scanline includes one filterbyte
++
++ if ( nScansize64 > SAL_MAX_UINT32 )
++ return FALSE;
++
++ mnScansize = static_cast< sal_uInt32 >( nScansize64 );
+
+ // TODO: switch between both scanlines instead of copying
+- mpInflateInBuf = new BYTE[ mnScansize ];
++ mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ];
+ mpScanCurrent = mpInflateInBuf;
+- mpScanPrior = new BYTE[ mnScansize ];
++ mpScanPrior = new (std::nothrow) BYTE[ mnScansize ];
++
++ if ( !mpInflateInBuf || !mpScanPrior )
++ return FALSE;
+
+ // calculate target size from original size and the preview hint
+ if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )
More information about the scm-commits
mailing list