[libreoffice/f19] Resolves: rhbz#1165740 CVE-2014-9093 backport some arbitrary rtf crash fixes
Caolán McNamara
caolanm at fedoraproject.org
Wed Nov 26 15:12:24 UTC 2014
commit 6f052fccc4e3dc3ecf46a5f06562acbe0f40e306
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Nov 26 15:12:15 2014 +0000
Resolves: rhbz#1165740 CVE-2014-9093 backport some arbitrary rtf crash fixes
...do-86449-CVE-2014-9093-backport-rtf-fixes.patch | 382 ++++++++++++++++++++
libreoffice.spec | 6 +-
2 files changed, 387 insertions(+), 1 deletions(-)
---
diff --git a/0001-Resolves-fdo-86449-CVE-2014-9093-backport-rtf-fixes.patch b/0001-Resolves-fdo-86449-CVE-2014-9093-backport-rtf-fixes.patch
new file mode 100644
index 0000000..b25a39a
--- /dev/null
+++ b/0001-Resolves-fdo-86449-CVE-2014-9093-backport-rtf-fixes.patch
@@ -0,0 +1,382 @@
+From 8f8dc43621029459f28cf82228fe0931124f769e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 20 Aug 2014 08:56:54 +0100
+Subject: [PATCH] Resolves: fdo#86449 CVE-2014-9093 backport rtf fixes
+
+The actual bug is against 3.5.4 and 4.2 doesn't crash in anything like the same
+way but it does still crash. So these fixes stop the provided examples from
+crashing in 4.2 on using top on an empty stack, which isn't the same as
+actually being a fix for CVE-2014-9093 as seen in 3.5.X
+
+empty Reference
+
+valgrind + bff
+
+(cherry picked from commit 0a42632a74596cbc781746931bf8f2650994b80f)
+
+empty m_aStates
+
+valgrind + bff
+
+(cherry picked from commit e3247719911f4e9b61ec43ea1c9ce04bcddc4ff8)
+
+3bd526b7ebf0f4fce5d0c7054809e0dc2908e73f
+Reviewed-on: https://gerrit.libreoffice.org/12965
+Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
+Tested-by: Miklos Vajna <vmiklos at collabora.co.uk>
+
+(cherry picked from commit b4840d3632e4404bee4bd192a7db916cbad3a401)
+
+Conflicts:
+ writerfilter/source/dmapper/DomainMapperTableHandler.cxx
+ writerfilter/source/rtftok/rtfdocumentimpl.cxx
+
+Resolves: fdo#86451 guard all the tops post pop
+
+Reviewed-on: https://gerrit.libreoffice.org/12966
+Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
+Tested-by: Miklos Vajna <vmiklos at collabora.co.uk>
+(cherry picked from commit 566300ebd57e6ff07fdb014321e23a92c9bcf5ee)
+
+Conflicts:
+ writerfilter/source/rtftok/rtfdocumentimpl.cxx
+
+98be6f014893dfc7cee770c44cd9d0be32b39f5c
+
+Change-Id: Id3c039a46dec5d2d4a4642dfb53d23a76972dde2
+---
+ ...7381c4a46d642c79a4b1817dc0-101375-minimized.rtf | 62 +++++++++++++++
+ ...7381c4a46d642c79a4b1817dc0-108116-minimized.rtf | 62 +++++++++++++++
+ writerfilter/source/rtftok/rtfdocumentimpl.cxx | 87 +++++++++++++---------
+ 3 files changed, 177 insertions(+), 34 deletions(-)
+ create mode 100644 writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-101375-minimized.rtf
+ create mode 100644 writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-108116-minimized.rtf
+
+diff --git a/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-101375-minimized.rtf b/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-101375-minimized.rtf
+new file mode 100644
+index 0000000..44dae52
+--- /dev/null
++++ b/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-101375-minimized.rtf
+@@ -0,0 +1,62 @@
++{\rtf1\ansi\deff0\adeflang1025
++{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Times New Roman;}{\f4\froman\fprq2\fcharset128 Arial Narrow;}{\f5\froman\fprq0\fcharset128 Arial Narrow;}{\f6\froman\fprq2\fcharset128 Symbol;}{\f7\froman\fprq0\fcharset128 Symbol;}{\f8\froman\fprq2\fcharset128 Wingdings;}{\f9\froman\fprq0\fcharset128 Wingdings;}{\f10\froman\fprq0\fcharset128 Times New Roman;}{\f11\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f12\fnil\fprq2\fcharset128 SimSun;}{\f13\fnil\fprq2\fcharset128 Times New Roman (Arabic);}{\f14\fnil\fprq0\fcharset128 Times New Roman (Arabic);}{\f15\fnil\fprq2\fcharset128 Times New Roman;}{\f16\fnil\fprq0\fcharset128 Times New Roman;}{\f17\fnil\fprq2\fcharset0 Mangal;}{\f18\fnil\fprq0\fcharset128 Mangal;}{\f19\fnil\fprq2\fcharset128 Mangal;}{\f20\fnil\fprq2\fcharset128 Cambria Math;}{\f21\fnil\fprq0\fcharset128 Cambria Math;}}
++{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red128\green128\blue128;}
++{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040 Predefinito;}
++{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af11\dbch\af17\afs28\loch\f2\fs28 Intestazione;}
++{\s16\sbasedon0\snext16\sb0\sa120 Corpo testo;}
++{\s17\sbasedon16\snext17\sb0\sa120\dbch\af18 Elenco;}
++{\s18\sbasedon0\snext18\sb120\sa120\noline\i\dbch\af18\afs24\ai\fs24 Didascalia;}
++{\s19\sbasedon0\snext19\noline\dbch\af18 Indice;}
++}{\info{\creatim\yr2011\mo9\dy28\hr16\min28}{\revtim\yr2011\mo9\dy28\hr16\min29}{\printim\yr0\mo0\dy0\hr0\min0}{\comment LibreOffice}{\vern3500}}\deftab720
++
++{\*\pgdsctbl
++{\pgdsc0\pgdscuse195\pgwsxn12240\pghsxn15840\marglsxn1134\margrsxn1134\margtsxn1417\margbsxn1134\pgdscnxt0 Predefinito;}}
++\formshade{\*\pgdscno0}\paperh15840\paperw12240\margl1134\margr1134\margt1417\margb1134\sectd\sbknone\sectunlocked1\pgndec\pgwsxn12240\pghsxn15840\marglsxn1134\margrsxn1134\margtsxn1417\margbsxn1134\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
++\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx9864\pgndec\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\keepn{\scaps\b\hich\af14\langfe1040\dbch\af14\afs26\alang1025\ab\rtlch \ltrch\loch\fs26\lang1040\loch\f5
++SSSSSSS SSSSSSS curriculum vitae}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\langfe1040\dbch\af14\afs16\alang1025\rtlch \ltrch\loch\fs16\lang1040\loch\f5
++}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\keepn{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++Informazioni personali}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Nome}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSS SSSSSSS}\cell\cell\row\pard\trowd\trql\trleft-108\ltrrow\trrh876\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvert`lt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\h{phmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Indirizzo}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSS S. SSSSSSSS SSSS}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40[\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSS SSSSS SSSSSS}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Telefono}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSSSS}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\langfe1040\dbch\af14\afs22\alang1025\rtlch \ltrch\loch\fs22\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++E-mail}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSSSSSSSSSSSSSSSS}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb120\sa0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Nazionalit\'e0}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSS}\cell\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Luogo e Data di nascita}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSS SSSSSSSSSS }\cell\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par }
+\ No newline at end of file
+diff --git a/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-108116-minimized.rtf b/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-108116-minimized.rtf
+new file mode 100644
+index 0000000..765dba9
+--- /dev/null
++++ b/writerfilter/qa/cppunittests/rtftok/data/pass/sf_2063317381c4a46d642c79a4b1817dc0-108116-minimized.rtf
+@@ -0,0 +1,62 @@
++{\rtf1\ansi\deff0\adeflang1025
++{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\froman\fprq2\fcharset2 Symbol;}{\f2\fswiss\fprq2\fcharset0 Arial;}{\f3\froman\fprq2\fcharset128 Times New Roman;}{\f4\froman\fprq2\fcharset128 Arial Narrow;}{\f5\froman\fprq0\fcharset128 Arial Narrow;}{\f6\froman\fprq2\fcharset128 Symbol;}{\f7\froman\fprq0\fcharset128 Symbol;}{\f8\froman\fprq2\fcharset128 Wingdings;}{\f9\froman\fprq0\fcharset128 Wingdings;}{\f10\froman\fprq0\fcharset128 Times New Roman;}{\f11\fnil\fprq2\fcharset0 Microsoft YaHei;}{\f12\fnil\fprq2\fcharset128 SimSun;}{\f13\fnil\fprq2\fcharset128 Times New Roman (Arabic);}{\f14\fnil\fprq0\fcharset128 Times New Roman (Arabic);}{\f15\fnil\fprq2\fcharset128 Times New Roman;}{\f16\fnil\fprq0\fcharset128 Times New Roman;}{\f17\fnil\fprq2\fcharset0 Mangal;}{\f18\fnil\fprq0\fcharset128 Mangal;}{\f19\fnil\fprq2\fcharset128 Mangal;}{\f20\fnil\fprq2\fcharset128 Cambria Math;}{\f21\fnil\fprq0\fcharset128 Cambria Math;}}
++{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red128\green128\blue128;}
++{\stylesheet{\s0\snext0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040 Predefinito;}
++{\s15\sbasedon0\snext16\sb240\sa120\keepn\hich\af11\dbch\af17\afs28\loch\f2\fs28 Intestazione;}
++{\s16\sbasedon0\snext16\sb0\sa120 Corpo testo;}
++{\s17\sbasedon16\snext17\sb0\sa120\dbch\af18 Elenco;}
++{\s18\sbasedon0\snext18\sb120\sa120\noline\i\dbch\af18\afs24\ai\fs24 Didascalia;}
++{\s19\sbasedon0\snext19\noline\dbch\af18 Indice;}
++}{\info{\creatim\yr2011\mo9\dy28\hr16\min28}{\revtim\yr2011\mo9\dy28\hr16\min29}{\printim\yr0\mo0\dy0\hr0\min0}{\comment LibreOffice}{\vern3500}}\deftab720
++
++{\*\pgdsctbl
++{\pgdsc0\pgdscuse195\pgwsxn12240\pghsxn15840\marglsxn1134\margrsxn1134\margtsxn1417\margbsxn1134\pgdscnxt0 Predefinito;}}
++\formshade{\*\pgdscno0}\paperh15840\paperw12240\margl1134\margr1134\margt1417\margb1134\sectd\sbknone\sectunlocked1\pgndec\pgwsxn12240\pghsxn15840\marglsxn1134\margrsxn1134\margtsxn1417\margbsxn1134\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
++\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx9864\pgndec\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\keepn{\scaps\b\hich\af14\langfe1040\dbch\af14\afs26\alang1025\ab\rtlch \ltrch\loch\fs26\lang1040\loch\f5
++SSSSSSS SSSSSSS curriculum vitae}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\langfe1040\dbch\af14\afs16\alang1025\rtlch \ltrch\loch\fs16\lang1040\loch\f5
++}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\keepn{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++Informazioni personali}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Nome}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSS SSSSSSS}\cell\cell\row\pard\trowd\trql\trleft-108\ltrrow\trrh876\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Indirizzo}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSS S. SSSSSSSS SSSS}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\scaps\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSS SSSSS SSSSSS}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Telefono}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSSSS}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\langfe1040\dbch\af14\afs22\alang1025\rtlch \ltrch\loch\fs22\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++}\cell\row\pard\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2896\clvertalt\cellx9864\pard\plain \sp\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++E-mail}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSSSSSSSSSSSSSSSS}\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb120\sa0{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Nazionalit\'e0}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSSSS}\cell\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\rtlch \ltrch\loch
++}
++\par \trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\qr\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20\keepn{\hich\af14\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++Luogo e Data di nascita}\cell\trowd\trql\trleft-108\ltrrow\trpaddft3\trpaddt0\trpaddfl3\trpaddl0\trpaddfb3\trpaddb0\trpaddfr3\trpaddr0\clvertalt\cellx2623\clvertalt\cellx2895\clvertalt\cellx9864\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb20\sa20{\langfe1040\dbch\af14\afs20\alang1025\rtlch \ltrch\loch\fs20\lang1040\loch\f5
++}\cell\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\intbl\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0\sb40\sa40{\b\hich\af14\langfe1040\dbch\af14\afs24\alang1025\ab\rtlch \ltrch\loch\fs24\lang1040\loch\f5
++SSSSSS SSSSSSSSSS }\cell\cell\row\pard\pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par \pard\plain \s0\nowidctlpar{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\cf0\kerning1\hich\af22\langfe2052\dbch\af17\afs24\alang1081\loch\f0\fs24\lang1040\ql\nowidctlpar\faauto\li0\ri0\lin0\rin0\fi0{\rtlch \ltrch\loch
++}
++\par }
+\ No newline at end of file
+diff --git a/writerfilter/source/rtftok/rtfdocumentimpl.cxx b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+index ca34825..f9ec8fb 100644
+--- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
++++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+@@ -4910,7 +4910,7 @@ int RTFDocumentImpl::popState()
+ case DESTINATION_PARAGRAPHNUMBERING:
+ {
+ RTFValue::Pointer_t pIdValue = aState.aTableAttributes.find(NS_rtf::LN_LSID);
+- if (pIdValue.get())
++ if (pIdValue.get() && !m_aStates.empty())
+ {
+ // Abstract numbering
+ RTFSprms aLeveltextAttributes;
+@@ -4979,18 +4979,21 @@ int RTFDocumentImpl::popState()
+ }
+ break;
+ case DESTINATION_PARAGRAPHNUMBERING_TEXTAFTER:
++ if (!m_aStates.empty())
+ {
+ RTFValue::Pointer_t pValue(new RTFValue(aState.aDestinationText.makeStringAndClear(), true));
+ m_aStates.top().aTableAttributes.set(NS_ooxml::LN_CT_LevelSuffix_val, pValue);
+ }
+ break;
+ case DESTINATION_PARAGRAPHNUMBERING_TEXTBEFORE:
++ if (!m_aStates.empty())
+ {
+ RTFValue::Pointer_t pValue(new RTFValue(aState.aDestinationText.makeStringAndClear(), true));
+ m_aStates.top().aTableAttributes.set(NS_ooxml::LN_CT_LevelText_val, pValue);
+ }
+ break;
+ case DESTINATION_LISTLEVEL:
++ if (!m_aStates.empty())
+ {
+ RTFValue::Pointer_t pInnerValue(new RTFValue(m_aStates.top().nListLevelNum++));
+ aState.aTableAttributes.set(NS_ooxml::LN_CT_Lvl_ilvl, pInnerValue);
+@@ -5003,6 +5006,7 @@ int RTFDocumentImpl::popState()
+ }
+ break;
+ case DESTINATION_LFOLEVEL:
++ if (!m_aStates.empty())
+ {
+ RTFValue::Pointer_t pInnerValue(new RTFValue(m_aStates.top().nListLevelNum++));
+ aState.aTableAttributes.set(NS_ooxml::LN_CT_NumLvl_ilvl, pInnerValue);
+@@ -5013,6 +5017,7 @@ int RTFDocumentImpl::popState()
+ break;
+ // list override table
+ case DESTINATION_LISTOVERRIDEENTRY:
++ if (!m_aStates.empty())
+ {
+ if (m_aStates.top().nDestinationState == DESTINATION_LISTOVERRIDEENTRY)
+ { // copy properties upwards so upper popState inserts it
+@@ -5029,36 +5034,43 @@ int RTFDocumentImpl::popState()
+ }
+ break;
+ case DESTINATION_LEVELTEXT:
++ if (!m_aStates.empty())
+ {
+ RTFValue::Pointer_t pValue(new RTFValue(aState.aTableAttributes));
+ m_aStates.top().aTableSprms.set(NS_ooxml::LN_CT_Lvl_lvlText, pValue);
+ }
+ break;
+ case DESTINATION_LEVELNUMBERS:
+- m_aStates.top().aTableSprms = aState.aTableSprms;
++ if (!m_aStates.empty())
++ m_aStates.top().aTableSprms = aState.aTableSprms;
+ break;
+ case DESTINATION_FIELDINSTRUCTION:
+- m_aStates.top().nFieldStatus = FIELD_INSTRUCTION;
++ if (!m_aStates.empty())
++ m_aStates.top().nFieldStatus = FIELD_INSTRUCTION;
+ break;
+ case DESTINATION_FIELDRESULT:
+- m_aStates.top().nFieldStatus = FIELD_RESULT;
++ if (!m_aStates.empty())
++ m_aStates.top().nFieldStatus = FIELD_RESULT;
+ break;
+ case DESTINATION_FIELD:
+ if (aState.nFieldStatus == FIELD_INSTRUCTION)
+ singleChar(0x15);
+ break;
+ case DESTINATION_SHAPEPROPERTYVALUEPICT:
++ if (!m_aStates.empty())
+ {
+ m_aStates.top().aPicture = aState.aPicture;
+ m_aStates.top().aDestinationText = aState.aDestinationText;
+ }
+ break;
+ case DESTINATION_FALT:
+- m_aStates.top().aTableSprms = aState.aTableSprms;
++ if (!m_aStates.empty())
++ m_aStates.top().aTableSprms = aState.aTableSprms;
+ break;
+ case DESTINATION_SHAPEPROPERTYNAME:
+ case DESTINATION_SHAPEPROPERTYVALUE:
+ case DESTINATION_SHAPEPROPERTY:
++ if (!m_aStates.empty())
+ {
+ m_aStates.top().aShape = aState.aShape;
+ m_aStates.top().aPicture = aState.aPicture;
+@@ -5068,19 +5080,23 @@ int RTFDocumentImpl::popState()
+ case DESTINATION_FLYMAINCONTENT:
+ case DESTINATION_SHPPICT:
+ case DESTINATION_SHAPE:
+- m_aStates.top().aFrame = aState.aFrame;
+- if (aState.nDestinationState == DESTINATION_SHPPICT && !m_aStates.empty() && m_aStates.top().nDestinationState == DESTINATION_LISTPICTURE)
++ if (!m_aStates.empty())
+ {
+- RTFSprms aAttributes;
+- aAttributes.set(NS_ooxml::LN_CT_NumPicBullet_numPicBulletId, RTFValue::Pointer_t(new RTFValue(m_nListPictureId++)));
+- RTFSprms aSprms;
+- // Dummy value, real picture is already sent to dmapper.
+- aSprms.set(NS_ooxml::LN_CT_NumPicBullet_pict, RTFValue::Pointer_t(new RTFValue(0)));
+- RTFValue::Pointer_t pValue(new RTFValue(aAttributes, aSprms));
+- m_aListTableSprms.set(NS_ooxml::LN_CT_Numbering_numPicBullet, pValue, false);
++ m_aStates.top().aFrame = aState.aFrame;
++ if (aState.nDestinationState == DESTINATION_SHPPICT && !m_aStates.empty() && m_aStates.top().nDestinationState == DESTINATION_LISTPICTURE)
++ {
++ RTFSprms aAttributes;
++ aAttributes.set(NS_ooxml::LN_CT_NumPicBullet_numPicBulletId, RTFValue::Pointer_t(new RTFValue(m_nListPictureId++)));
++ RTFSprms aSprms;
++ // Dummy value, real picture is already sent to dmapper.
++ aSprms.set(NS_ooxml::LN_CT_NumPicBullet_pict, RTFValue::Pointer_t(new RTFValue(0)));
++ RTFValue::Pointer_t pValue(new RTFValue(aAttributes, aSprms));
++ m_aListTableSprms.set(NS_ooxml::LN_CT_Numbering_numPicBullet, pValue, false);
++ }
+ }
+ break;
+ case DESTINATION_TITLE:
++ if (!m_aStates.empty())
+ {
+ if (m_aStates.top().nDestinationState == DESTINATION_TITLE)
+ // The parent is a title as well, just append what we have so far.
+@@ -5090,31 +5106,34 @@ int RTFDocumentImpl::popState()
+ }
+ break;
+ case DESTINATION_SHAPETEXT:
+- // If we're leaving the shapetext group (it may have nested ones) and this is a shape, not an old drawingobject.
+- if (m_aStates.top().nDestinationState != DESTINATION_SHAPETEXT && !m_aStates.top().aDrawingObject.bHadShapeText)
++ if (!m_aStates.empty())
+ {
+- m_aStates.top().bHadShapeText = true;
+- if (!m_aStates.top().pCurrentBuffer)
+- m_pSdrImport->close();
+- else
+- m_aStates.top().pCurrentBuffer->push_back(
+- Buf_t(BUFFER_ENDSHAPE));
+- }
++ // If we're leaving the shapetext group (it may have nested ones) and this is a shape, not an old drawingobject.
++ if (m_aStates.top().nDestinationState != DESTINATION_SHAPETEXT && !m_aStates.top().aDrawingObject.bHadShapeText)
++ {
++ m_aStates.top().bHadShapeText = true;
++ if (!m_aStates.top().pCurrentBuffer)
++ m_pSdrImport->close();
++ else
++ m_aStates.top().pCurrentBuffer->push_back(
++ Buf_t(BUFFER_ENDSHAPE));
++ }
+
+- // It's allowed to declare these inside the the shape text, and they
+- // are expected to have an effect for the whole shape.
+- if (aState.aDrawingObject.nLeft)
+- m_aStates.top().aDrawingObject.nLeft = aState.aDrawingObject.nLeft;
+- if (aState.aDrawingObject.nTop)
+- m_aStates.top().aDrawingObject.nTop = aState.aDrawingObject.nTop;
+- if (aState.aDrawingObject.nRight)
+- m_aStates.top().aDrawingObject.nRight = aState.aDrawingObject.nRight;
+- if (aState.aDrawingObject.nBottom)
+- m_aStates.top().aDrawingObject.nBottom = aState.aDrawingObject.nBottom;
++ // It's allowed to declare these inside the the shape text, and they
++ // are expected to have an effect for the whole shape.
++ if (aState.aDrawingObject.nLeft)
++ m_aStates.top().aDrawingObject.nLeft = aState.aDrawingObject.nLeft;
++ if (aState.aDrawingObject.nTop)
++ m_aStates.top().aDrawingObject.nTop = aState.aDrawingObject.nTop;
++ if (aState.aDrawingObject.nRight)
++ m_aStates.top().aDrawingObject.nRight = aState.aDrawingObject.nRight;
++ if (aState.aDrawingObject.nBottom)
++ m_aStates.top().aDrawingObject.nBottom = aState.aDrawingObject.nBottom;
++ }
+ break;
+ default:
+ {
+- if (m_aStates.size() && m_aStates.top().nDestinationState == DESTINATION_PICT)
++ if (!m_aStates.empty() && m_aStates.top().nDestinationState == DESTINATION_PICT)
+ m_aStates.top().aPicture = aState.aPicture;
+ }
+ break;
+--
+1.9.3
+
diff --git a/libreoffice.spec b/libreoffice.spec
index d0d522e..ac1cb5d 100644
--- a/libreoffice.spec
+++ b/libreoffice.spec
@@ -42,7 +42,7 @@ Summary: Free Software Productivity Suite
Name: libreoffice
Epoch: 1
Version: %{libo_version}.2
-Release: 9%{?libo_prerelease}%{?dist}
+Release: 10%{?libo_prerelease}%{?dist}
License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0
Group: Applications/Productivity
URL: http://www.libreoffice.org/default/
@@ -287,6 +287,7 @@ Patch50: 0001-Fix-fdo-71423-crash-while-editing-Impress-tables.patch
Patch51: 0001-Use-varying-aElement-name.patch
Patch52: 0001-Resolves-i125386-secured-user-request-and-changed-so.patch
Patch53: 0001-Disable-sdremote-by-default-and-improve-flow-control.patch
+Patch54: 0001-Resolves-fdo-86449-CVE-2014-9093-backport-rtf-fixes.patch
%define instdir %{_libdir}
%define baseinstdir %{instdir}/libreoffice
@@ -2164,6 +2165,9 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
%endif
%changelog
+* Wed Nov 26 2014 Caolán McNamara <caolanm at redhat.com> - 1:4.1.6.2-10
+- Resolves: rhbz#1165740 CVE-2014-9093 backport some arbitrary rtf crash fixes
+
* Tue Nov 25 2014 Caolán McNamara <caolanm at redhat.com> - 1:4.1.6.2-9
- Resolves: rhbz#1167503 CVE-2014-3693 Use-after-free in Impress Remote socket manager
More information about the scm-commits
mailing list