[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About libreoffice CVE

On 2017-11-24 11:49:34, Antoine Beaupré wrote:
> I think I got a pretty good patchset now, attached.

Well well... debdiff clearly doesn't like libreoffice - it crashes with:

cp: erreur d'écriture de './libreoffice_3.5.4+dfsg2.orig-translations.tar.xz': Aucun espace disponible sur le périphérique

anyways, here are the two patches instead...

a.

-- 
Men often become what they believe themselves to be. If I believe I
cannot do something, it makes me incapable of doing it. But when I
believe I can, then I acquire the ability to do it even if I didn't
have it in the beginning.
                         - Mahatma Gandhi

>From 334dba623dfb0c4fb2b5292c2d03741b7b33aef1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 26 Aug 2015 11:25:03 +0100
Subject: fix crash on loading certain ppts

Change-Id: I544a67e3706c7d12414cc075118ef2f0f5ddd0f6

--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -4017,13 +4017,13 @@ PPTStyleSheet::PPTStyleSheet( const DffR
             rIn >> aTxMasterStyleHd;
             if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom )
             {
-                sal_uInt16 nLevelAnz;
+                sal_uInt16 nLevelAnz(0);
                 rIn >> nLevelAnz;
 
                 sal_uInt16 nLev = 0;
                 sal_Bool bFirst = sal_True;
                 bFoundTxMasterStyleAtom04 = sal_True;
-                while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
+                while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
                 {
                     if ( nLev )
                     {
--- libreoffice-3.5.4+dfsg2.orig/filter/inc/filter/msfilter/svdfppt.hxx
+++ libreoffice-3.5.4+dfsg2/filter/inc/filter/msfilter/svdfppt.hxx
@@ -178,6 +178,8 @@ const sal_uInt32 PPTInventor = sal_uInt3
                              + sal_uInt32('T') * 0x00010000
                              + sal_uInt32('0') * 0x01000000;
 
+const int nMaxPPTLevels = 5;
+
 // Object-Ids fuer StarDraw UserData
 #define PPT_OBJECTINFO_ID       (1)
 
@@ -708,7 +710,7 @@ struct PPTExtParaLevel
 
 struct PPTExtParaSheet
 {
-    PPTExtParaLevel aExtParaLevel[ 5 ];
+    PPTExtParaLevel aExtParaLevel[nMaxPPTLevels];
 };
 
 struct PPTBuGraEntry
@@ -755,7 +757,7 @@ struct PPTCharLevel
 
 struct PPTCharSheet
 {
-    PPTCharLevel    maCharLevel[ 5 ];
+    PPTCharLevel    maCharLevel[nMaxPPTLevels];
 
                     PPTCharSheet( sal_uInt32 nInstance );
                     PPTCharSheet( const PPTCharSheet& rCharSheet );
@@ -788,7 +790,7 @@ struct PPTParaSheet
 {
 public:
 
-    PPTParaLevel    maParaLevel[ 5 ];
+    PPTParaLevel    maParaLevel[nMaxPPTLevels];
 
                     PPTParaSheet( sal_uInt32 nInstance );
                     PPTParaSheet( const PPTParaSheet& rParaSheet );
@@ -963,8 +965,8 @@ struct PPTRuler
 
         sal_Int32           nFlags;
         sal_uInt16          nDefaultTab;
-        sal_uInt16          nTextOfs[ 5 ];
-        sal_uInt16          nBulletOfs[ 5 ];
+        sal_uInt16          nTextOfs[nMaxPPTLevels];
+        sal_uInt16          nBulletOfs[nMaxPPTLevels];
         PPTTabEntry*        pTab;
         sal_uInt16          nTabCount;
 

>From 42a709d1ef647aab9a1c9422b4e25ecaee857aba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Fri, 21 Aug 2015 09:52:29 +0100
Subject: add ww6 test dir and fix a crash

Change-Id: Id08176640672095c03e0b124cd65a9dce26ac2db

--- a/sw/qa/core/filters-test.cxx
+++ b/sw/qa/core/filters-test.cxx
@@ -94,6 +94,10 @@ void SwFiltersTest::testCVEs()
     testDir(rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("MS Word 97")),
             getURLFromSrc("/sw/qa/core/data/ww8/"),
             rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("CWW8")));
+
+    testDir(rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("MS WinWord 6.0")),
+            getURLFromSrc("/sw/qa/core/data/ww6/"),
+            rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("sWW6")));
 }
 
 void SwFiltersTest::setUp()
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -4361,6 +4361,14 @@ void WW8RStyle::ImportOldFormatStyles()
     std::vector< std::vector<sal_uInt8> > aConvertedChpx;
     while (nByteCount < cbChpx)
     {
+        if (stcp == aCHPXOffsets.size())
+        {
+            //more data than style slots, skip remainder
+            rSt.SeekRel(cbChpx-nByteCount);
+            nByteCount += cbChpx-nByteCount;
+            break;
+        }
+
         sal_uInt8 cb;
         rSt >> cb;
         nByteCount++;
@@ -4383,12 +4391,7 @@ void WW8RStyle::ImportOldFormatStyles()
         else
             aConvertedChpx.push_back( std::vector<sal_uInt8>() );
 
-        stcp++;
-        if (stcp == nStyles)
-    {
-            rSt.SeekRel(cbChpx-nByteCount);
-            nByteCount += cbChpx-nByteCount;
-    }
+        ++stcp;
     }
 
     std::vector<pxoffset> aPAPXOffsets(stcp);
@@ -4398,6 +4401,12 @@ void WW8RStyle::ImportOldFormatStyles()
     stcp=0;
     while (nByteCount < cbPapx)
     {
+        if (stcp == aPAPXOffsets.size())
+        {
+            rSt.SeekRel(cbPapx-nByteCount);
+            nByteCount += cbPapx-nByteCount;
+        }
+
         sal_uInt8 cb;
         rSt >> cb;
         nByteCount++;
@@ -4419,13 +4428,7 @@ void WW8RStyle::ImportOldFormatStyles()
             nByteCount += nRemainder;
         }
 
-        stcp++;
-
-        if (stcp == nStyles)
-    {
-            rSt.SeekRel(cbPapx-nByteCount);
-            nByteCount += cbPapx-nByteCount;
-    }
+        ++stcp;
     }
 
     sal_uInt16 iMac;
Reply to: