./packages/openofficeorg/3.2.1/unstable r2098: add 3.2.1-11+squeeze1 changes
------------------------------------------------------------
revno: 2098
committer: Rene Engelhard <rene@debian.org>
branch nick: debian
timestamp: Sun 2011-01-30 17:44:58 +0100
message:
add 3.2.1-11+squeeze1 changes
added:
patches/cws-hb22.diff
patches/security-fixes-from-cws-impress208.diff
patches/security-fixes-from-cws-os145.diff
patches/tread-invalid-path-segments-correctly.diff
modified:
changelog
patches/series
=== modified file 'changelog'
--- a/changelog 2010-12-28 13:17:49 +0000
+++ b/changelog 2011-01-30 16:44:58 +0000
@@ -1,3 +1,24 @@
+openoffice.org (1:3.2.1-11+squeeze1) testing-security; urgency=high
+
+ * debian/patches/tread-invalid-path-segments-correctly.diff:
+ fix directory traversal vulnerability in OOo (CVE-2010-3450)
+ * debian/patches/cws-hb22.diff: fix security issues:
+ - soffice script does not treat empty LD_LIBRARY_PATH like unset one
+ (CVE-2010-3689)
+ - Crash in WW8DopTypography::ReadFromMem (CVE-2010-3454)
+ - Crash in SwRTFParser::ReadNumSecLevel (CVE-2010-3452)
+ - Out of bounds write in WW8ListManager::WW8ListManager()
+ (CVE-2010-3453)
+ - Loading certain RTF document leads to corrupt table model
+ (CVE-2010-3451)
+ * debian/patches/security-fixes-drom-cws-os145.diff: fix
+ CVE-2010-4253: Heap based buffer overflow, PPT files.
+ * debian/patches//security-fixes-from-cws-impress208.diff: fix
+ possible heap overflow when reading manipulated TGA images
+ (CVE-2010-4643)
+
+ -- Rene Engelhard <rene@debian.org> Wed, 05 Jan 2011 22:22:53 +0100
+
openoffice.org (1:3.2.1-11) unstable; urgency=medium
* use dpkg -s instead of apt-cache show (closes: #607873)
=== added file 'patches/cws-hb22.diff'
--- a/patches/cws-hb22.diff 1970-01-01 00:00:00 +0000
+++ b/patches/cws-hb22.diff 2011-01-30 16:44:58 +0000
@@ -0,0 +1,280 @@
+--- openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply-old 2010-09-02 15:30:17.000000000 +0200
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply 2010-09-02 15:30:32.000000000 +0200
+@@ -4095,3 +4095,4 @@
+
+ [ Security ]
+ SA40775.diff
++cws-hb22.diff
+--- /dev/null 2010-09-20 03:09:33.932874377 +0200
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/cws-hb22.diff 2010-09-20 20:42:45.000000000 +0200
+@@ -0,0 +1,270 @@
++diff --git a/binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx b/binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx
++--- binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx
+++++ binfilter/bf_sw/source/core/docnode/sw_ndtbl.cxx
++@@ -273,7 +273,13 @@
++ SwEndNode* pEndNd = new SwEndNode( aEndIdx, *pSttNd );
++
++ pPrvBox = new SwTableBox( pBoxFmt, *pSttNd, pLine );
++- pLine->GetTabBoxes().C40_INSERT( SwTableBox, pPrvBox, nInsPos + n );
+++
+++ SwTableBoxes & rTabBoxes = pLine->GetTabBoxes();
+++ USHORT nRealInsPos = nInsPos + n;
+++ if (nRealInsPos > rTabBoxes.Count())
+++ nRealInsPos = rTabBoxes.Count();
+++
+++ rTabBoxes.C40_INSERT( SwTableBox, pPrvBox, nRealInsPos );
++
++ if( NO_NUMBERING == pTxtColl->GetOutlineLevel()
++ //FEATURE::CONDCOLL
++diff --git a/desktop/scripts/soffice.sh b/desktop/scripts/soffice.sh
++--- desktop/scripts/soffice.sh
+++++ desktop/scripts/soffice.sh
++@@ -96,7 +96,7 @@
++ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
++ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
++ if [ -n "$my_path" ] ; then
++- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
+++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
++ export LD_LIBRARY_PATH
++ fi
++ fi
++diff --git a/desktop/scripts/unopkg.sh b/desktop/scripts/unopkg.sh
++--- desktop/scripts/unopkg.sh
+++++ desktop/scripts/unopkg.sh
++@@ -57,7 +57,7 @@
++ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
++ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
++ if [ -n "$my_path" ] ; then
++- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
+++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
++ export LD_LIBRARY_PATH
++ fi
++ fi
++diff --git a/padmin/source/spadmin.sh b/padmin/source/spadmin.sh
++--- padmin/source/spadmin.sh
+++++ padmin/source/spadmin.sh
++@@ -57,7 +57,7 @@
++ my_path=`"$sd_prog/../basis-link/ure-link/bin/javaldx" $BOOTSTRAPVARS \
++ "-env:INIFILENAME=vnd.sun.star.pathname:$sd_prog/redirectrc"`
++ if [ -n "$my_path" ] ; then
++- LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
+++ LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
++ export LD_LIBRARY_PATH
++ fi
++ fi
++diff --git a/pyuno/zipcore/python.sh b/pyuno/zipcore/python.sh
++--- pyuno/zipcore/python.sh
+++++ pyuno/zipcore/python.sh
++@@ -44,7 +44,7 @@
++ export PATH
++
++ # Set LD_LIBRARY_PATH so that "import pyuno" finds libpyuno.so:
++-LD_LIBRARY_PATH=$sd_prog/../basis-link/program:$sd_prog/../basis-link/ure-link/lib${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
+++LD_LIBRARY_PATH=$sd_prog/../basis-link/program:$sd_prog/../basis-link/ure-link/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
++ export LD_LIBRARY_PATH
++
++ # Set UNO_PATH so that "officehelper.bootstrap()" can find soffice executable:
++diff --git a/solenv/bin/checkdll.sh b/solenv/bin/checkdll.sh
++--- solenv/bin/checkdll.sh
+++++ solenv/bin/checkdll.sh
++@@ -51,22 +51,22 @@
++ shift # remove the trailing ---
++
++ case `uname -s` in
++- Darwin) case "${DYLD_LIBRARY_PATH+X}" in
+++ Darwin) case "${DYLD_LIBRARY_PATH:+X}" in
++ X) DYLD_LIBRARY_PATH=$libpath:$DYLD_LIBRARY_PATH;;
++ *) DYLD_LIBRARY_PATH=$libpath;;
++ esac
++ export DYLD_LIBRARY_PATH;;
++- IRIX) case "${LD_LIBRARYN32_PATH+X}" in
+++ IRIX) case "${LD_LIBRARYN32_PATH:+X}" in
++ X) LD_LIBRARYN32_PATH=$libpath:$LD_LIBRARYN32_PATH;;
++ *) LD_LIBRARYN32_PATH=$libpath;;
++ esac
++ export LD_LIBRARYN32_PATH;;
++- IRIX64) case "${LD_LIBRARYN32_PATH+X}" in
+++ IRIX64) case "${LD_LIBRARYN32_PATH:+X}" in
++ X) LD_LIBRARYN32_PATH=$libpath:$LD_LIBRARYN32_PATH;;
++ *) LD_LIBRARYN32_PATH=$libpath;;
++ esac
++ export LD_LIBRARYN32_PATH;;
++- *) case "${LD_LIBRARY_PATH+X}" in
+++ *) case "${LD_LIBRARY_PATH:+X}" in
++ X) LD_LIBRARY_PATH=$libpath:$LD_LIBRARY_PATH;;
++ *) LD_LIBRARY_PATH=$libpath;;
++ esac
++diff --git a/solenv/bin/rpm-wrapper b/solenv/bin/rpm-wrapper
++--- solenv/bin/rpm-wrapper
+++++ solenv/bin/rpm-wrapper
++@@ -35,9 +35,9 @@
++ set -e
++ if [ "$OUTPATH" = "unxlngi6" ]
++ then
++-LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${LIBRARY_PATH?} \
+++LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${LIBRARY_PATH?} \
++ ${BUILD_TOOLS?}/rpmbuild "$@"
++ else
++-LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
+++LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
++ ${BUILD_TOOLS?}/rpm "$@"
++ fi
++diff --git a/solenv/bin/soirpm.sh b/solenv/bin/soirpm.sh
++--- solenv/bin/soirpm.sh
+++++ solenv/bin/soirpm.sh
++@@ -28,5 +28,5 @@
++ LIBRPMBUILD=$(find ${COMPATH} -name 'librpmbuild-4.1*' -print)
++ # echo $(dirname $LIBRPMBUILD)
++ LD_LIBRARY_PATH=$(dirname ${LIBRPMBUILD}) ${BUILD_TOOLS?}/rpm "$@"
++-# LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
+++# LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+${LD_LIBRARY_PATH}:}${COMPATH?}/lib \
++ # ${BUILD_TOOLS?}/rpm "$@"
++diff --git a/svx/source/gengal/gengal.sh b/svx/source/gengal/gengal.sh
++--- svx/source/gengal/gengal.sh
+++++ svx/source/gengal/gengal.sh
++@@ -62,27 +62,27 @@
++ sd_platform=`uname -s`
++ case $sd_platform in
++ AIX)
++- LIBPATH=${sd_prog}${LIBPATH+:${LIBPATH}}
+++ LIBPATH=${sd_prog}${LIBPATH:+:${LIBPATH}}
++ export LIBPATH
++ ;;
++
++ Darwin)
++- DYLD_LIBRARY_PATH=${sd_prog}${DYLD_LIBRARY_PATH+:${DYLD_LIBRARY_PATH}}
+++ DYLD_LIBRARY_PATH=${sd_prog}${DYLD_LIBRARY_PATH:+:${DYLD_LIBRARY_PATH}}
++ export DYLD_LIBRARY_PATH
++ ;;
++
++ HP-UX)
++- SHLIB_PATH=${sd_prog}:/usr/openwin/lib${SHLIB_PATH+:${SHLIB_PATH}}
+++ SHLIB_PATH=${sd_prog}:/usr/openwin/lib${SHLIB_PATH:+:${SHLIB_PATH}}
++ export SHLIB_PATH
++ ;;
++
++ IRIX*)
++- LD_LIBRARYN32_PATH=${sd_prog}${LD_LIBRARYN32_PATH+:${LD_LIBRARYN32_PATH}}
+++ LD_LIBRARYN32_PATH=${sd_prog}${LD_LIBRARYN32_PATH:+:${LD_LIBRARYN32_PATH}}
++ export LD_LIBRARYN32_PATH
++ ;;
++
++ *)
++- LD_LIBRARY_PATH=${sd_prog}${LD_LIBRARY_PATH+:${LD_LIBRARY_PATH}}
+++ LD_LIBRARY_PATH=${sd_prog}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
++ export LD_LIBRARY_PATH
++ ;;
++ esac
++diff --git a/sw/source/core/doc/number.cxx b/sw/source/core/doc/number.cxx
++--- sw/source/core/doc/number.cxx
+++++ sw/source/core/doc/number.cxx
++@@ -101,8 +101,15 @@
++
++ const SwNumFmt* SwNumRule::GetNumFmt( USHORT i ) const
++ {
++- ASSERT_ID( i < MAXLEVEL && eRuleType < RULE_END, ERR_NUMLEVEL);
++- return aFmts[ i ];
+++ const SwNumFmt * pResult = NULL;
+++
+++ ASSERT_ID( i < MAXLEVEL && eRuleType < RULE_END, ERR_NUMLEVEL);
+++ if ( i < MAXLEVEL && eRuleType < RULE_END)
+++ {
+++ pResult = aFmts[ i ];
+++ }
+++
+++ return pResult;
++ }
++
++ // --> OD 2008-07-08 #i91400#
++diff --git a/sw/source/core/docnode/ndtbl.cxx b/sw/source/core/docnode/ndtbl.cxx
++--- sw/source/core/docnode/ndtbl.cxx
+++++ sw/source/core/docnode/ndtbl.cxx
++@@ -334,7 +334,13 @@
++ new SwEndNode( aEndIdx, *pSttNd );
++
++ pPrvBox = new SwTableBox( pBoxFmt, *pSttNd, pLine );
++- pLine->GetTabBoxes().C40_INSERT( SwTableBox, pPrvBox, nInsPos + n );
+++
+++ SwTableBoxes & rTabBoxes = pLine->GetTabBoxes();
+++ USHORT nRealInsPos = nInsPos + n;
+++ if (nRealInsPos > rTabBoxes.Count())
+++ nRealInsPos = rTabBoxes.Count();
+++
+++ rTabBoxes.C40_INSERT( SwTableBox, pPrvBox, nRealInsPos );
++
++ //if( NO_NUMBERING == pTxtColl->GetOutlineLevel()//#outline level,zhaojianwei
++ if( ! pTxtColl->IsAssignedToListLevelOfOutlineStyle()//<-end,zhaojianwei
++diff --git a/sw/source/filter/rtf/rtfnum.cxx b/sw/source/filter/rtf/rtfnum.cxx
++--- sw/source/filter/rtf/rtfnum.cxx
+++++ sw/source/filter/rtf/rtfnum.cxx
++@@ -806,8 +806,8 @@
++ // suche die Rule - steht unter Nummer 3
++ nListNo = 3;
++ bContinus = FALSE;
++- nLevel = MAXLEVEL <= nTokenValue ? MAXLEVEL - 1
++- : BYTE( nTokenValue - 1 );
+++ nLevel = MAXLEVEL <= (unsigned long) nTokenValue ? MAXLEVEL - 1
+++ : (!nTokenValue ? 0 : BYTE( nTokenValue - 1 ));
++ }
++ else
++ {
++@@ -815,9 +815,9 @@
++ {
++ case RTF_PNLVL: nListNo = 3;
++ bContinus = FALSE;
++- nLevel = MAXLEVEL <= nTokenValue
+++ nLevel = MAXLEVEL <= (unsigned long) nTokenValue
++ ? MAXLEVEL - 1
++- : BYTE( nTokenValue-1 );
+++ : (!nTokenValue ? 0 : BYTE( nTokenValue-1 ));
++ break;
++
++ case RTF_PNLVLBODY:
++diff --git a/sw/source/filter/ww8/ww8par3.cxx b/sw/source/filter/ww8/ww8par3.cxx
++--- sw/source/filter/ww8/ww8par3.cxx
+++++ sw/source/filter/ww8/ww8par3.cxx
++@@ -1400,7 +1400,9 @@
++ pLFOInfo->pNumRule->Set(aLFOLVL.nLevel, aNumFmt);
++ }
++ bLVLOk = true;
++- pLFOInfo->maOverrides[aLFOLVL.nLevel] = aLFOLVL;
+++
+++ if (nMaxLevel > aLFOLVL.nLevel)
+++ pLFOInfo->maOverrides[aLFOLVL.nLevel] = aLFOLVL;
++ }
++ if( !bLVLOk )
++ break;
++diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
++--- sw/source/filter/ww8/ww8scan.cxx
+++++ sw/source/filter/ww8/ww8scan.cxx
++@@ -7179,8 +7179,16 @@
++ for (i=0; i < nMaxLeading; ++i)
++ rgxchLPunct[i] = Get_Short(pData);
++
++- rgxchFPunct[cchFollowingPunct]=0;
++- rgxchLPunct[cchLeadingPunct]=0;
+++ if (cchFollowingPunct >= 0 && cchFollowingPunct < nMaxFollowing)
+++ rgxchFPunct[cchFollowingPunct]=0;
+++ else
+++ rgxchFPunct[nMaxFollowing - 1]=0;
+++
+++ if (cchLeadingPunct >= 0 && cchLeadingPunct < nMaxLeading)
+++ rgxchLPunct[cchLeadingPunct]=0;
+++ else
+++ rgxchLPunct[nMaxLeading - 1]=0;
+++
++ }
++
++ void WW8DopTypography::WriteToMem(BYTE *&pData) const
++diff --git a/ure/source/startup.sh b/ure/source/startup.sh
++--- ure/source/startup.sh
+++++ ure/source/startup.sh
++@@ -39,7 +39,7 @@
++ if [ -x "${epath}/javaldx" ] ; then
++ jpath=`"${epath}/javaldx" $my_envargs`
++ if [ -n "${jpath}" ]; then
++- LD_LIBRARY_PATH=${jpath}${LD_LIBRARY_PATH+:${LD_LIBRARY_PATH}}
+++ LD_LIBRARY_PATH=${jpath}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
++ export LD_LIBRARY_PATH
++ fi
++ fi
=== added file 'patches/security-fixes-from-cws-impress208.diff'
--- a/patches/security-fixes-from-cws-impress208.diff 1970-01-01 00:00:00 +0000
+++ b/patches/security-fixes-from-cws-impress208.diff 2011-01-30 16:44:58 +0000
@@ -0,0 +1,122 @@
+--- /dev/null 2010-12-31 18:16:37.629405698 +0100
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/security-fixes-from-cws-impress208.diff 2011-01-05 22:11:58.000000000 +0100
+@@ -0,0 +1,112 @@
++
++# HG changeset patch
++# User Christian Lippka ORACLE <christian.lippka@oracle.com>
++# Date 1294074253 -3600
++# Node ID 29638e31d01685727edd4569dd2438f914cdf538
++# Parent a21d317bfa71988ffe2d6987083fd91f2f338800
++impress208: #164349# fixed possible heap overflow when reading manipulated TGA images
++
++diff -r a21d317bfa71 -r 29638e31d016 filter/source/graphicfilter/itga/itga.cxx
++--- goodies/source/filter.vcl/itga/itga.cxx Mon Jan 03 17:59:57 2011 +0100
+++++ goodies/source/filter.vcl/itga/itga.cxx Mon Jan 03 18:04:13 2011 +0100
++@@ -338,6 +338,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -360,6 +363,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -387,6 +393,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -407,6 +416,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -440,6 +452,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -457,6 +472,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -483,6 +501,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -500,6 +521,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -528,6 +552,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++@@ -548,6 +575,9 @@
++ nXCount = 0;
++ nY += nYAdd;
++ nYCount++;
+++
+++ if( nYCount >= mpFileHeader->nImageHeight )
+++ return false; // invalid picture
++ }
++ }
++ }
++
+--- openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply-old 2010-12-29 18:08:37.000000000 +0100
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply 2011-01-05 22:25:56.000000000 +0100
+@@ -4098,3 +4098,4 @@
+ SA40775.diff
+ cws-hb22.diff
+ security-fixes-from-cws-os145.diff
++security-fixes-from-cws-impress208.diff
=== added file 'patches/security-fixes-from-cws-os145.diff'
--- a/patches/security-fixes-from-cws-os145.diff 1970-01-01 00:00:00 +0000
+++ b/patches/security-fixes-from-cws-os145.diff 2011-01-30 16:44:58 +0000
@@ -0,0 +1,113 @@
+--- /dev/null 2010-11-21 14:10:31.532337349 +0100
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/security-fixes-from-cws-os145.diff 2010-11-22 20:47:36.000000000 +0100
+@@ -0,0 +1,103 @@
++diff --git a/svx/source/svdraw/svdfppt.cxx b/svx/source/svdraw/svdfppt.cxx
++--- svx/source/svdraw/svdfppt.cxx
+++++ svx/source/svdraw/svdfppt.cxx
++@@ -1469,12 +1469,16 @@
++
++ if ( bOk )
++ {
++- // PersistPtrs lesen (alle)
++- nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1; // 1 mehr, damit ich immer direkt indizieren kann
++- pPersistPtr = new UINT32[ nPersistPtrAnz ]; // (die fangen naemlich eigentlich bei 1 an)
+++ nPersistPtrAnz = aUserEditAtom.nMaxPersistWritten + 1;
+++ if ( ( nPersistPtrAnz >> 2 ) > nStreamLen ) // sj: at least nPersistPtrAnz is not allowed to be greater than filesize
+++ bOk = FALSE; // (it should not be greater than the PPT_PST_PersistPtrIncrementalBlock, but
+++ // we are reading this block later, so we do not have access yet)
+++
+++ if ( bOk && ( nPersistPtrAnz < ( SAL_MAX_UINT32 / sizeof( UINT32 ) ) ) )
+++ pPersistPtr = new (std::nothrow) UINT32[ nPersistPtrAnz ];
++ if ( !pPersistPtr )
++ bOk = FALSE;
++- else
+++ if ( bOk )
++ {
++ memset( pPersistPtr, 0x00, nPersistPtrAnz * 4 );
++
++diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
++--- vcl/source/gdi/pngread.cxx
+++++ vcl/source/gdi/pngread.cxx
++@@ -411,7 +411,9 @@
++
++ case PNGCHUNK_IDAT :
++ {
++- if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
+++ if ( !mpInflateInBuf ) // taking care that the header has properly been read
+++ mbStatus = FALSE;
+++ else if ( !mbIDAT ) // the gfx is finished, but there may be left a zlibCRC of about 4Bytes
++ ImplReadIDAT();
++ }
++ break;
++@@ -527,7 +529,7 @@
++ mbIDAT = mbAlphaChannel = mbTransparent = FALSE;
++ mbGrayScale = mbRGBTriple = FALSE;
++ mnTargetDepth = mnPngDepth;
++- mnScansize = ( ( maOrigSize.Width() * mnPngDepth ) + 7 ) >> 3;
+++ sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
++
++ // valid color types are 0,2,3,4 & 6
++ switch ( mnColorType )
++@@ -557,7 +559,7 @@
++ case 2 : // each pixel is an RGB triple
++ {
++ mbRGBTriple = TRUE;
++- mnScansize *= 3;
+++ nScansize64 *= 3;
++ switch ( mnPngDepth )
++ {
++ case 16 : // we have to reduce the bitmap
++@@ -590,7 +592,7 @@
++
++ case 4 : // each pixel is a grayscale sample followed by an alpha sample
++ {
++- mnScansize *= 2;
+++ nScansize64 *= 2;
++ mbAlphaChannel = TRUE;
++ switch ( mnPngDepth )
++ {
++@@ -608,7 +610,7 @@
++ case 6 : // each pixel is an RGB triple followed by an alpha sample
++ {
++ mbRGBTriple = TRUE;
++- mnScansize *= 4;
+++ nScansize64 *= 4;
++ mbAlphaChannel = TRUE;
++ switch (mnPngDepth )
++ {
++@@ -626,16 +628,24 @@
++ return FALSE;
++ }
++
++- mnBPP = mnScansize / maOrigSize.Width();
+++ mnBPP = static_cast< sal_uInt32 >( nScansize64 / maOrigSize.Width() );
++ if ( !mnBPP )
++ mnBPP = 1;
++
++- mnScansize++; // each scanline includes one filterbyte
+++ nScansize64++; // each scanline includes one filterbyte
+++
+++ if ( nScansize64 > SAL_MAX_UINT32 )
+++ return FALSE;
+++
+++ mnScansize = static_cast< sal_uInt32 >( nScansize64 );
++
++ // TODO: switch between both scanlines instead of copying
++- mpInflateInBuf = new BYTE[ mnScansize ];
+++ mpInflateInBuf = new (std::nothrow) BYTE[ mnScansize ];
++ mpScanCurrent = mpInflateInBuf;
++- mpScanPrior = new BYTE[ mnScansize ];
+++ mpScanPrior = new (std::nothrow) BYTE[ mnScansize ];
+++
+++ if ( !mpInflateInBuf || !mpScanPrior )
+++ return FALSE;
++
++ // calculate target size from original size and the preview hint
++ if( rPreviewSizeHint.Width() || rPreviewSizeHint.Height() )
+--- openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply-old 2010-11-22 20:01:52.000000000 +0100
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/apply 2010-11-22 20:02:06.000000000 +0100
+@@ -4096,3 +4096,4 @@
+ [ Security ]
+ SA40775.diff
+ cws-hb22.diff
++security-fixes-from-cws-os145.diff
=== modified file 'patches/series'
--- a/patches/series 2010-11-29 21:36:32 +0000
+++ b/patches/series 2011-01-30 16:44:58 +0000
@@ -13,3 +13,7 @@
pdf-link-export-fix.diff
set-correct-default-formula-syntax.diff
slideshow-clipfix.diff
+tread-invalid-path-segments-correctly.diff
+cws-hb22.diff
+security-fixes-from-cws-os145.diff
+security-fixes-from-cws-impress208.diff
=== added file 'patches/tread-invalid-path-segments-correctly.diff'
--- a/patches/tread-invalid-path-segments-correctly.diff 1970-01-01 00:00:00 +0000
+++ b/patches/tread-invalid-path-segments-correctly.diff 2011-01-30 16:44:58 +0000
@@ -0,0 +1,204 @@
+--- /dev/null 2010-08-16 13:41:41.277183513 +0200
++++ openoffice.org-3.2.1/ooo-build-3-2-1-4/patches/dev300/tread-invalid-path-segments-correctly.diff 2010-08-17 18:52:27.000000000 +0200
+@@ -0,0 +1,201 @@
++
++# HG changeset patch
++# User Mikhail Voytenko <mav@openoffice.org>
++# Date 1281431120 -7200
++# Node ID 1efb7f54e7188baa10e280652b0e4762f55025a9
++# Parent c85a59971620bc9e04ad689600ee9846f0f9dc18
++mav56: #163253# tread invalid path segments correctly
++
++diff -r c85a59971620 -r 1efb7f54e718 comphelper/inc/comphelper/storagehelper.hxx
++--- comphelper/inc/comphelper/storagehelper.hxx Mon Jul 26 18:27:06 2010 +0200
+++++ comphelper/inc/comphelper/storagehelper.hxx Tue Aug 10 11:05:20 2010 +0200
++@@ -161,6 +161,8 @@
++
++ static sal_Bool IsValidZipEntryFileName( const ::rtl::OUString& aName, sal_Bool bSlashAllowed );
++ static sal_Bool IsValidZipEntryFileName( const sal_Unicode *pChar, sal_Int32 nLength, sal_Bool bSlashAllowed );
+++
+++ static sal_Bool PathHasSegment( const ::rtl::OUString& aPath, const ::rtl::OUString& aSegment );
++ };
++
++ }
++diff -r c85a59971620 -r 1efb7f54e718 comphelper/source/misc/storagehelper.cxx
++--- comphelper/source/misc/storagehelper.cxx Mon Jul 26 18:27:06 2010 +0200
+++++ comphelper/source/misc/storagehelper.cxx Tue Aug 10 11:05:20 2010 +0200
++@@ -452,5 +452,36 @@
++ return sal_True;
++ }
++
+++// ----------------------------------------------------------------------
+++sal_Bool OStorageHelper::PathHasSegment( const ::rtl::OUString& aPath, const ::rtl::OUString& aSegment )
+++{
+++ sal_Bool bResult = sal_False;
+++ const sal_Int32 nPathLen = aPath.getLength();
+++ const sal_Int32 nSegLen = aSegment.getLength();
+++
+++ if ( nSegLen && nPathLen >= nSegLen )
+++ {
+++ ::rtl::OUString aEndSegment( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+++ aEndSegment += aSegment;
+++
+++ ::rtl::OUString aInternalSegment( aEndSegment );
+++ aInternalSegment += ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
+++
+++ if ( aPath.indexOf( aInternalSegment ) >= 0 )
+++ bResult = sal_True;
+++
+++ if ( !bResult && !aPath.compareTo( aSegment, nSegLen ) )
+++ {
+++ if ( nPathLen == nSegLen || aPath.getStr()[nSegLen] == (sal_Unicode)'/' )
+++ bResult = sal_True;
+++ }
+++
+++ if ( !bResult && nPathLen > nSegLen && aPath.copy( nPathLen - nSegLen - 1, nSegLen + 1 ).equals( aEndSegment ) )
+++ bResult = sal_True;
+++ }
+++
+++ return bResult;
++ }
++
+++}
+++
++diff -r c85a59971620 -r 1efb7f54e718 filter/source/xsltdialog/xmlfilterjar.cxx
++--- filter/source/xsltdialog/xmlfilterjar.cxx Mon Jul 26 18:27:06 2010 +0200
+++++ filter/source/xsltdialog/xmlfilterjar.cxx Tue Aug 10 11:05:20 2010 +0200
++@@ -101,6 +101,10 @@
++
++ static Reference< XInterface > addFolder( Reference< XInterface >& xRootFolder, Reference< XSingleServiceFactory >& xFactory, const OUString& rName ) throw( Exception )
++ {
+++ if ( rName.equals( OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
+++ || rName.equals( OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
+++ throw lang::IllegalArgumentException();
+++
++ Sequence< Any > aArgs(1);
++ aArgs[0] <<= (sal_Bool)sal_True;
++
++@@ -362,6 +366,10 @@
++ {
++ OUString szPackagePath( encodeZipUri( rURL.copy( sVndSunStarPackage.getLength() ) ) );
++
+++ if ( ::comphelper::OStorageHelper::PathHasSegment( szPackagePath, OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
+++ || ::comphelper::OStorageHelper::PathHasSegment( szPackagePath, OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
+++ throw lang::IllegalArgumentException();
+++
++ if( xIfc->hasByHierarchicalName( szPackagePath ) )
++ {
++ Reference< XActiveDataSink > xFileEntry;
++diff -r c85a59971620 -r 1efb7f54e718 ucb/source/ucp/package/makefile.mk
++--- ucb/source/ucp/package/makefile.mk Mon Jul 26 18:27:06 2010 +0200
+++++ ucb/source/ucp/package/makefile.mk Tue Aug 10 11:05:20 2010 +0200
++@@ -68,6 +68,7 @@
++ SHL1VERSIONMAP=$(SOLARENV)/src/component.map
++
++ SHL1STDLIBS=\
+++ $(COMPHELPERLIB) \
++ $(CPPUHELPERLIB) \
++ $(CPPULIB) \
++ $(SALLIB) \
++diff -r c85a59971620 -r 1efb7f54e718 ucb/source/ucp/package/pkguri.cxx
++--- ucb/source/ucp/package/pkguri.cxx Mon Jul 26 18:27:06 2010 +0200
+++++ ucb/source/ucp/package/pkguri.cxx Tue Aug 10 11:05:20 2010 +0200
++@@ -36,6 +36,7 @@
++
++ #include "rtl/ustrbuf.hxx"
++ #include "osl/diagnose.h"
+++#include "comphelper/storagehelper.hxx"
++
++ #include "../inc/urihelper.hxx"
++
++@@ -85,7 +86,7 @@
++ if ( ( m_aUri.getLength() < PACKAGE_URL_SCHEME_LENGTH + 4 ) )
++ {
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ return;
++ }
++
++@@ -100,7 +101,7 @@
++ != sal_Unicode( '/' ) ) )
++ {
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ return;
++ }
++
++@@ -128,8 +129,8 @@
++ {
++ m_aParam +=
++ ( m_aParam.getLength()
++- ? ::rtl::OUString::createFromAscii( "&purezip" )
++- : ::rtl::OUString::createFromAscii( "?purezip" ) );
+++ ? ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "&purezip" ) )
+++ : ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "?purezip" ) ) );
++ }
++
++ aPureUri = aPureUri.replaceAt( 0,
++@@ -143,7 +144,7 @@
++ // Only <scheme>:/// - Empty authority
++
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ return;
++ }
++ else if ( nEnd == ( aPureUri.getLength() - 1 ) )
++@@ -154,7 +155,7 @@
++ // Only <scheme>://// or <scheme>://<something>//
++
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ return;
++ }
++
++@@ -175,7 +176,7 @@
++ nStart, aPureUri.getLength() - nStart, aNormPackage );
++ m_aPackage
++ = ::ucb_impl::urihelper::decodeSegment( aNormPackage );
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ m_aUri = m_aUri.replaceAt( 0,
++ ( nParam >= 0 )
++ ? nParam
++@@ -193,16 +194,19 @@
++ {
++ m_aPath = aPureUri.copy( nEnd + 1 );
++
++- // Empty path segments or encoded slashes?
++- if ( m_aPath.indexOf(
++- rtl::OUString::createFromAscii( "//" ) ) != -1
++- || m_aPath.indexOf(
++- rtl::OUString::createFromAscii( "%2F" ) ) != -1
++- || m_aPath.indexOf(
++- rtl::OUString::createFromAscii( "%2f" ) ) != -1 )
+++ // Unexpected sequences of characters:
+++ // - empty path segments
+++ // - encoded slashes
+++ // - parent folder segments ".."
+++ // - current folder segments "."
+++ if ( m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "//" ) ) ) != -1
+++ || m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "%2F" ) ) ) != -1
+++ || m_aPath.indexOf( rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "%2f" ) ) ) != -1
+++ || ::comphelper::OStorageHelper::PathHasSegment( m_aPath, ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( ".." ) ) )
+++ || ::comphelper::OStorageHelper::PathHasSegment( m_aPath, ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "." ) ) ) )
++ {
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ return;
++ }
++
++@@ -239,7 +243,7 @@
++ else
++ {
++ // error, but remember that we did a init().
++- m_aPath = rtl::OUString::createFromAscii( "/" );
+++ m_aPath = rtl::OUString( RTL_CONSTASCII_USTRINGPARAM( "/" ) );
++ }
++ }
++ }
++
Reply to: