Re: About libreoffice CVE
On 2017-11-24 11:49:34, Antoine Beaupré wrote:
> I think I got a pretty good patchset now, attached.
Well well... debdiff clearly doesn't like libreoffice - it crashes with:
cp: erreur d'écriture de './libreoffice_3.5.4+dfsg2.orig-translations.tar.xz': Aucun espace disponible sur le périphérique
anyways, here are the two patches instead...
a.
--
Men often become what they believe themselves to be. If I believe I
cannot do something, it makes me incapable of doing it. But when I
believe I can, then I acquire the ability to do it even if I didn't
have it in the beginning.
- Mahatma Gandhi
>From 334dba623dfb0c4fb2b5292c2d03741b7b33aef1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 26 Aug 2015 11:25:03 +0100
Subject: fix crash on loading certain ppts
Change-Id: I544a67e3706c7d12414cc075118ef2f0f5ddd0f6
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -4017,13 +4017,13 @@ PPTStyleSheet::PPTStyleSheet( const DffR
rIn >> aTxMasterStyleHd;
if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom )
{
- sal_uInt16 nLevelAnz;
+ sal_uInt16 nLevelAnz(0);
rIn >> nLevelAnz;
sal_uInt16 nLev = 0;
sal_Bool bFirst = sal_True;
bFoundTxMasterStyleAtom04 = sal_True;
- while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
+ while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
{
if ( nLev )
{
--- libreoffice-3.5.4+dfsg2.orig/filter/inc/filter/msfilter/svdfppt.hxx
+++ libreoffice-3.5.4+dfsg2/filter/inc/filter/msfilter/svdfppt.hxx
@@ -178,6 +178,8 @@ const sal_uInt32 PPTInventor = sal_uInt3
+ sal_uInt32('T') * 0x00010000
+ sal_uInt32('0') * 0x01000000;
+const int nMaxPPTLevels = 5;
+
// Object-Ids fuer StarDraw UserData
#define PPT_OBJECTINFO_ID (1)
@@ -708,7 +710,7 @@ struct PPTExtParaLevel
struct PPTExtParaSheet
{
- PPTExtParaLevel aExtParaLevel[ 5 ];
+ PPTExtParaLevel aExtParaLevel[nMaxPPTLevels];
};
struct PPTBuGraEntry
@@ -755,7 +757,7 @@ struct PPTCharLevel
struct PPTCharSheet
{
- PPTCharLevel maCharLevel[ 5 ];
+ PPTCharLevel maCharLevel[nMaxPPTLevels];
PPTCharSheet( sal_uInt32 nInstance );
PPTCharSheet( const PPTCharSheet& rCharSheet );
@@ -788,7 +790,7 @@ struct PPTParaSheet
{
public:
- PPTParaLevel maParaLevel[ 5 ];
+ PPTParaLevel maParaLevel[nMaxPPTLevels];
PPTParaSheet( sal_uInt32 nInstance );
PPTParaSheet( const PPTParaSheet& rParaSheet );
@@ -963,8 +965,8 @@ struct PPTRuler
sal_Int32 nFlags;
sal_uInt16 nDefaultTab;
- sal_uInt16 nTextOfs[ 5 ];
- sal_uInt16 nBulletOfs[ 5 ];
+ sal_uInt16 nTextOfs[nMaxPPTLevels];
+ sal_uInt16 nBulletOfs[nMaxPPTLevels];
PPTTabEntry* pTab;
sal_uInt16 nTabCount;
>From 42a709d1ef647aab9a1c9422b4e25ecaee857aba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Fri, 21 Aug 2015 09:52:29 +0100
Subject: add ww6 test dir and fix a crash
Change-Id: Id08176640672095c03e0b124cd65a9dce26ac2db
--- a/sw/qa/core/filters-test.cxx
+++ b/sw/qa/core/filters-test.cxx
@@ -94,6 +94,10 @@ void SwFiltersTest::testCVEs()
testDir(rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("MS Word 97")),
getURLFromSrc("/sw/qa/core/data/ww8/"),
rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("CWW8")));
+
+ testDir(rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("MS WinWord 6.0")),
+ getURLFromSrc("/sw/qa/core/data/ww6/"),
+ rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("sWW6")));
}
void SwFiltersTest::setUp()
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -4361,6 +4361,14 @@ void WW8RStyle::ImportOldFormatStyles()
std::vector< std::vector<sal_uInt8> > aConvertedChpx;
while (nByteCount < cbChpx)
{
+ if (stcp == aCHPXOffsets.size())
+ {
+ //more data than style slots, skip remainder
+ rSt.SeekRel(cbChpx-nByteCount);
+ nByteCount += cbChpx-nByteCount;
+ break;
+ }
+
sal_uInt8 cb;
rSt >> cb;
nByteCount++;
@@ -4383,12 +4391,7 @@ void WW8RStyle::ImportOldFormatStyles()
else
aConvertedChpx.push_back( std::vector<sal_uInt8>() );
- stcp++;
- if (stcp == nStyles)
- {
- rSt.SeekRel(cbChpx-nByteCount);
- nByteCount += cbChpx-nByteCount;
- }
+ ++stcp;
}
std::vector<pxoffset> aPAPXOffsets(stcp);
@@ -4398,6 +4401,12 @@ void WW8RStyle::ImportOldFormatStyles()
stcp=0;
while (nByteCount < cbPapx)
{
+ if (stcp == aPAPXOffsets.size())
+ {
+ rSt.SeekRel(cbPapx-nByteCount);
+ nByteCount += cbPapx-nByteCount;
+ }
+
sal_uInt8 cb;
rSt >> cb;
nByteCount++;
@@ -4419,13 +4428,7 @@ void WW8RStyle::ImportOldFormatStyles()
nByteCount += nRemainder;
}
- stcp++;
-
- if (stcp == nStyles)
- {
- rSt.SeekRel(cbPapx-nByteCount);
- nByteCount += cbPapx-nByteCount;
- }
+ ++stcp;
}
sal_uInt16 iMac;
Reply to: