[openoffice.org/f14] fix patches
Caolan McNamara
caolanm at fedoraproject.org
Thu Oct 6 13:12:55 UTC 2011
commit c98a220441ea60e39ea993c2fd2083b2e3eeee86
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Oct 6 14:12:51 2011 +0100
fix patches
...s-rhbz-738255-avoid-crash-on-NULL-pointer.patch | 43 ++--
2011-2713.patch | 242 ++++++++++++++++++++
openoffice.org.spec | 5 +-
3 files changed, 266 insertions(+), 24 deletions(-)
---
diff --git a/0001-Resolves-rhbz-738255-avoid-crash-on-NULL-pointer.patch b/0001-Resolves-rhbz-738255-avoid-crash-on-NULL-pointer.patch
index f6cdc69..1331bee 100644
--- a/0001-Resolves-rhbz-738255-avoid-crash-on-NULL-pointer.patch
+++ b/0001-Resolves-rhbz-738255-avoid-crash-on-NULL-pointer.patch
@@ -11,29 +11,26 @@ diff --git a/sc/source/ui/app/inputhdl.cxx b/sc/source/ui/app/inputhdl.cxx
index 1524397..c30a8fd 100644
--- a/sc/source/ui/app/inputhdl.cxx
+++ b/sc/source/ui/app/inputhdl.cxx
-@@ -2469,13 +2469,16 @@ void ScInputHandler::EnterHandler( sal_uInt8 nBlockMode )
- ScDocument* pDoc = pActiveViewSh->GetViewData()->GetDocument();
+@@ -2478,13 +2478,16 @@
+ ScDocument* pDoc = pActiveViewSh->GetViewData()->GetDocument();
// #i67990# don't use pLastPattern in EnterHandler
const ScPatternAttr* pPattern = pDoc->GetPattern( aCursorPos.Col(), aCursorPos.Row(), aCursorPos.Tab() );
-- SvNumberFormatter* pFormatter = pDoc->GetFormatTable();
-- // without conditional format, as in ScColumn::SetString
+- SvNumberFormatter* pFormatter = pDoc->GetFormatTable();
+- // without conditional format, as in ScColumn::SetString
- sal_uInt32 nFormat = pPattern->GetNumberFormat( pFormatter );
-- double nVal;
-- if ( pFormatter->IsNumberFormat( aString, nFormat, nVal ) )
-+ if (pPattern)
- {
-- bSpellErrors = false; // ignore the spelling errors
-+ SvNumberFormatter* pFormatter = pDoc->GetFormatTable();
-+ // without conditional format, as in ScColumn::SetString
-+ sal_uInt32 nFormat = pPattern->GetNumberFormat( pFormatter );
-+ double nVal;
-+ if ( pFormatter->IsNumberFormat( aString, nFormat, nVal ) )
-+ {
-+ bSpellErrors = false; // ignore the spelling errors
-+ }
- }
- }
- }
---
-1.7.6
-
+- double nVal;
+- if ( pFormatter->IsNumberFormat( aString, nFormat, nVal ) )
++ if (pPattern)
+ {
+- bSpellErrors = FALSE; // ignore the spelling errors
++ SvNumberFormatter* pFormatter = pDoc->GetFormatTable();
++ // without conditional format, as in ScColumn::SetString
++ sal_uInt32 nFormat = pPattern->GetNumberFormat( pFormatter );
++ double nVal;
++ if ( pFormatter->IsNumberFormat( aString, nFormat, nVal ) )
++ {
++ bSpellErrors = false; // ignore the spelling errors
++ }
+ }
+ }
+ }
diff --git a/2011-2713.patch b/2011-2713.patch
new file mode 100644
index 0000000..9ec577a
--- /dev/null
+++ b/2011-2713.patch
@@ -0,0 +1,242 @@
+diff --git a/sw/source/filter/ww8/ww8par3.cxx b/sw/source/filter/ww8/ww8par3.cxx
+index d6e6b84..c34c62e 100644
+--- a/sw/source/filter/ww8/ww8par3.cxx
++++ b/sw/source/filter/ww8/ww8par3.cxx
+@@ -471,20 +471,7 @@
+ sal_uInt8* WW8ListManager::GrpprlHasSprm(sal_uInt16 nId, sal_uInt8& rSprms,
+ sal_uInt8 nLen)
+ {
+- sal_uInt8* pSprms = &rSprms;
+- USHORT i=0;
+- while (i < nLen)
+- {
+- sal_uInt16 nAktId = maSprmParser.GetSprmId(pSprms);
+- if( nAktId == nId ) // Sprm found
+- return pSprms + maSprmParser.DistanceToData(nId);
+-
+- // gib Zeiger auf Daten
+- USHORT x = maSprmParser.GetSprmSize(nAktId, pSprms);
+- i = i + x;
+- pSprms += x;
+- }
+- return 0; // Sprm not found
++ return maSprmParser.findSprmData(nId, &rSprms, nLen);
+ }
+
+ class ListWithId : public std::unary_function<const WW8LSTInfo *, bool>
+@@ -525,8 +512,8 @@
+ std::deque<bool> &rNotReallyThere, sal_uInt16 nLevel,
+ ww::bytes &rParaSprms)
+ {
+- sal_uInt8 aBits1;
+- sal_uInt16 nStartNo = 0; // Start-Nr. fuer den Writer
++ sal_uInt8 aBits1(0);
++ sal_uInt16 nStartNo(0); // Start-Nr. fuer den Writer
+ SvxExtNumType eType; // Writer-Num-Typ
+ SvxAdjust eAdj; // Ausrichtung (Links/rechts/zent.)
+ sal_Unicode cBullet(0x2190); // default safe bullet
+@@ -560,7 +547,7 @@
+ if( !bLVLOkB )
+ return false;
+
+- sal_uInt8 ixchFollow;
++ sal_uInt8 ixchFollow(0);
+ rSt >> ixchFollow;
+ if (ixchFollow == 0)
+ rReader.maTracer.Log(sw::log::eTabInNumbering);
+diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
+index 0bb532a..7d809d8 100644
+--- a/sw/source/filter/ww8/ww8scan.hxx
++++ b/sw/source/filter/ww8/ww8scan.hxx
+@@ -145,6 +145,11 @@ public:
+ /// The minimum acceptable sprm len possible for this type of parser
+ int MinSprmLen() const { return (IsSevenMinus(meVersion)) ? 2 : 3; }
+
++ /// Returns the offset to data of the first sprm of id nId, 0
++ // if not found. nLen must be the <= length of pSprms
++ sal_uInt8* findSprmData(UINT16 nId, sal_uInt8* pSprms, UINT16 nLen)
++ const;
++
+ inline int getVersion() const { return meVersion; } //cmc, I'm dubious about the usage of this, how can it be 0
+ };
+
+diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
+index a4829e1..92cf106 100644
+--- a/sw/source/filter/ww8/ww8par2.cxx
++++ b/sw/source/filter/ww8/ww8par2.cxx
+@@ -3775,21 +3775,7 @@
+ if( !pParaSprms || !nSprmsLen )
+ return 0;
+
+- const BYTE* pSprms = pParaSprms;
+- USHORT i, x;
+-
+- for( i=0; i < nSprmsLen; )
+- {
+- USHORT nAktId = maSprmParser.GetSprmId(pSprms);
+- // Sprm found ?
+- if( nAktId == nId )
+- return pSprms + maSprmParser.DistanceToData(nId);
+-
+- x = maSprmParser.GetSprmSize(nAktId, pSprms);
+- i = i + x;
+- pSprms += x;
+- }
+- return 0; // Sprm not found
++ return maSprmParser.findSprmData(nId, pParaSprms, nSprmsLen);
+ }
+
+ void WW8RStyle::ImportSprms(BYTE *pSprms, short nLen, bool bPap)
+@@ -3803,11 +3789,11 @@
+ nSprmsLen = nLen;
+ }
+
+- while ( nLen > 0 )
++ WW8SprmIter aSprmIter(pSprms, nLen, maSprmParser);
++ while (const sal_uInt8* pSprm = aSprmIter.GetSprms())
+ {
+- USHORT nL1 = pIo->ImportSprm(pSprms);
+- nLen = nLen - nL1;
+- pSprms += nL1;
++ pIo->ImportSprm(pSprm);
++ aSprmIter.advance();
+ }
+
+ pParaSprms = 0;
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 70d4cc0..3a18004 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1486,7 +1486,12 @@
+ if( nFcPos == WW8_FC_MAX )
+ return nFallBackCpEnd;
+
+- bool bIsUnicode = false;
++ bool bIsUnicode;
++ if (pWw8Fib->nVersion >= 8)
++ bIsUnicode = false;
++ else
++ bIsUnicode = pWw8Fib->fExtChar ? true : false;
++
+ if( pPieceIter ) // Complex File ?
+ {
+ ULONG nOldPos = pPieceIter->GetIdx();
+@@ -1502,15 +1507,14 @@
+ break;
+ }
+ INT32 nFcStart = SVBT32ToUInt32( ((WW8_PCD*)pData)->fc );
+- if( 8 <= pWw8Fib->nVersion )
++ if (pWw8Fib->nVersion >= 8)
+ {
+ nFcStart = WW8PLCFx_PCD::TransformPieceAddress( nFcStart,
+ bIsUnicode );
+ }
+ else
+ {
+- if (pWw8Fib->fExtChar)
+- bIsUnicode=true;
++ bIsUnicode = pWw8Fib->fExtChar ? true : false;
+ }
+ INT32 nLen = (nCpEnd - nCpStart) * (bIsUnicode ? 2 : 1);
+
+@@ -1545,10 +1549,13 @@
+ */
+ return nFallBackCpEnd;
+ }
+- // No complex file
+- if (pWw8Fib->fExtChar)
+- bIsUnicode=true;
+- return ((nFcPos - pWw8Fib->fcMin) / (bIsUnicode ? 2 : 1));
++
++ // No complex file
++ if (!bIsUnicode)
++ nFallBackCpEnd = (nFcPos - pWw8Fib->fcMin);
++ else
++ nFallBackCpEnd = (nFcPos - pWw8Fib->fcMin + 1) / 2;
++ return nFallBackCpEnd;
+ }
+
+ WW8_FC WW8ScannerBase::WW8Cp2Fc(WW8_CP nCpPos, bool* pIsUnicode,
+@@ -1563,8 +1570,14 @@
+ if( !pIsUnicode )
+ pIsUnicode = &bIsUnicode;
+
++ if (pWw8Fib->nVersion >= 8)
++ *pIsUnicode = false;
++ else
++ *pIsUnicode = pWw8Fib->fExtChar ? true : false;
++
+ if( pPieceIter )
+- { // Complex File
++ {
++ // Complex File
+ if( pNextPieceCp )
+ *pNextPieceCp = WW8_CP_MAX;
+
+@@ -1592,14 +1605,11 @@
+ *pNextPieceCp = nCpEnd;
+
+ WW8_FC nRet = SVBT32ToUInt32( ((WW8_PCD*)pData)->fc );
+- if (8 > pWw8Fib->nVersion)
+- if (pWw8Fib->fExtChar)
+- *pIsUnicode=true;
+- else
+- *pIsUnicode = false;
+- else
+- nRet = WW8PLCFx_PCD::TransformPieceAddress( nRet, *pIsUnicode );
+
++ if (pWw8Fib->nVersion >= 8)
++ nRet = WW8PLCFx_PCD::TransformPieceAddress( nRet, *pIsUnicode );
++ else
++ *pIsUnicode = pWw8Fib->fExtChar ? true : false;
+
+ nRet += (nCpPos - nCpStart) * (*pIsUnicode ? 2 : 1);
+
+@@ -1607,10 +1617,6 @@
+ }
+
+ // No complex file
+- if (pWw8Fib->fExtChar)
+- *pIsUnicode = true;
+- else
+- *pIsUnicode = false;
+ return pWw8Fib->fcMin + nCpPos * (*pIsUnicode ? 2 : 1);
+ }
+
+@@ -2028,7 +2034,7 @@
+
+ String WW8Read_xstz(SvStream& rStrm, USHORT nChars, bool bAtEndSeekRel1)
+ {
+- UINT16 b;
++ UINT16 b(0);
+
+ if( nChars )
+ b = nChars;
+@@ -7393,6 +7399,27 @@
+ return 1 + mnDelta + SprmDataOfs(nId);
+ }
+
++sal_uInt8* wwSprmParser::findSprmData(UINT16 nId, sal_uInt8* pSprms,
++ UINT16 nLen) const
++{
++ while (nLen > (getVersion()?1:0))
++ {
++ UINT16 nAktId = GetSprmId(pSprms);
++ if (nAktId == nId) // Sprm found
++ return pSprms + DistanceToData(nId);
++
++ // gib Zeiger auf Daten
++ UINT16 nSize = GetSprmSize(nAktId, pSprms);
++ OSL_ENSURE(nSize <= nLen, "sprm longer than remaining bytes");
++ //Clip to available size if wrong
++ nSize = std::min(nSize, nLen);
++ pSprms += nSize;
++ nLen -= nSize;
++ }
++ // Sprm not found
++ return 0;
++}
++
+ SEPr::SEPr() :
+ bkc(2), fTitlePage(0), fAutoPgn(0), nfcPgn(0), fUnlocked(0), cnsPgn(0),
+ fPgnRestart(0), fEndNote(1), lnc(0), grpfIhdt(0), nLnnMod(0), dxaLnn(0),
diff --git a/openoffice.org.spec b/openoffice.org.spec
index deff980..96a763b 100644
--- a/openoffice.org.spec
+++ b/openoffice.org.spec
@@ -180,6 +180,7 @@ Patch96: 0001-rhbz-667082-do-not-crash-importing-section-containin.patch
Patch97: 0001-add-missing-xsl-when-start-tag.patch
Patch98: 0001-Resolves-fdo-39159-don-t-restore-original-view-setti.patch
Patch99: 0001-Resolves-rhbz-738255-avoid-crash-on-NULL-pointer.patch
+Patch100: 2011-2713.patch
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%define instdir %{_libdir}
@@ -1776,6 +1777,7 @@ cp -p %{SOURCE5} external/unowinreg/unowinreg.dll
%patch97 -p1 -b .add-missing-xsl-when-start-tag.patch
%patch98 -p1 -b .fdo39159-don-t-restore-original-view-setti.patch
%patch99 -p1 -b .rhbz738255-avoid-crash-on-NULL-pointer.patch
+%patch100 -p1 -b .2011-2713.patch
touch scripting/source/pyprov/delzip
touch scripting/util/provider/beanshell/delzip
touch scripting/util/provider/javascript/delzip
@@ -3971,7 +3973,8 @@ unopkg remove --shared org.openoffice.legacy.ScriptProviderForPython.zip > /dev/
%endif
%changelog
-* Thu Sep 15 2011 Caolán McNamara <caolanm at redhat.com>- 1:3.3.0-20.8-UNBUILT
+* Thu Oct 06 2011 Caolán McNamara <caolanm at redhat.com>- 1:3.3.0-20.8
+- CVE-2011-2713
- Resolves: rhbz#738255 avoid crash sc inputhdl NULL
* Mon Aug 08 2011 Caolán McNamara <caolanm at redhat.com>- 1:3.3.0-20.7
More information about the scm-commits
mailing list