[apache-poi/f15] CVE-2012-0213 (bugs 799078, 820788)

[Orion Poplawski]

commit 99686c2a2d75b004d8fdbd94d7309a5142754304
Author: Orion Poplawski <orion at cora.nwra.com>
Date:   Thu May 10 22:05:01 2012 -0600

    CVE-2012-0213 (bugs 799078, 820788)

 apache-poi-CVE-2012-0213.patch |   52 ++++++++++++++++++++++++++++++++++++++++
 apache-poi.spec                |    5 +++-
 2 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/apache-poi-CVE-2012-0213.patch b/apache-poi-CVE-2012-0213.patch
new file mode 100644
index 0000000..61791f9
--- /dev/null
+++ b/apache-poi-CVE-2012-0213.patch
@@ -0,0 +1,52 @@
+--- src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java	(revision 18070)
++++ src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java	(revision 22336)
+@@ -221,12 +221,10 @@ 
+             } catch(IOException e) {
+                 if(currentBlock == headerPropertiesStartBlock) {
+                     // Special case where things are in the wrong order
+-                    System.err.println("Warning, header block comes after data blocks in POIFS block listing");
+                     currentBlock = POIFSConstants.END_OF_CHAIN;
+                 } else if(currentBlock == 0 && firstPass) {
+                     // Special case where the termination isn't done right
+                     //  on an empty set
+-                    System.err.println("Warning, incorrectly terminated empty data blocks in POIFS block listing (should end at -2, ended at 0)");
+                     currentBlock = POIFSConstants.END_OF_CHAIN;
+                 } else {
+                     // Ripple up
+--- src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java	(revision 18070)
++++ src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java	(revision 22336)
+@@ -49,7 +49,6 @@ 
+       _buf = buf;
+ 
+       if(_cpStart < 0) {
+-    	  System.err.println("A property claimed to start before zero, at " + _cpStart + "! Resetting it to zero, and hoping for the best");
+     	  _cpStart = 0;
+       }
+   }
+--- src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java	(revision 18070)
++++ src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java	(revision 22336)
+@@ -17,6 +17,8 @@ 
+ 
+ package org.apache.poi.hwpf.model;
+ 
++import java.util.Arrays;
++
+ public final class UnhandledDataStructure
+ {
+   byte[] _buf;
+@@ -24,13 +26,12 @@ 
+   public UnhandledDataStructure(byte[] buf, int offset, int length)
+   {
+ //    System.out.println("Yes, using my code");
+-    _buf = new byte[length];
+-    if (offset + length > buf.length)
++    if (offset + length > buf.length || (offset | length | offset+length) < 0)
+     {
+       throw new IndexOutOfBoundsException("buffer length is " + buf.length +
+                                           "but code is trying to read " + length + " from offset " + offset);
+     }
+-    System.arraycopy(buf, offset, _buf, 0, length);
++    _buf = Arrays.copyOfRange(buf, offset, offset + length);
+   }
+ 
+   byte[] getBuf()
diff --git a/apache-poi.spec b/apache-poi.spec
index d7a4dd8..04274b8 100644
--- a/apache-poi.spec
+++ b/apache-poi.spec
@@ -2,7 +2,7 @@
 
 Name:           apache-poi
 Version:        3.7
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        The Java API for Microsoft Documents
 
 Group:          Development/Libraries
@@ -173,6 +173,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu May 10 2012 Orion Poplawski <orion at cora.nwra.com> - 3.7-7
+- CVE-2012-0213 (bugs 799078, 820788)
+
 * Wed Apr 20 2011 Orion Poplawski <orion at cora.nwra.com> - 3.7-6
 - Add BR fontconfig needed for java tests to find fonts
 - Fix javadoc link