[SCM] LibreOffice packaging repository branch, master, updated. libreoffice_3.5.4_dfsg-2-11-g0908ff4
The following commit has been merged in the master branch:
commit c00ce7d6a8bc225b6a1f3a9790c31304e202fab8
Author: Rene Engelhard <rene@debian.org>
Date: Sun Oct 14 12:22:38 2012 +0200
fix CVE-2012-4233.diff/HTB23106
diff --git a/changelog b/changelog
index e43485a..14b2e00 100644
--- a/changelog
+++ b/changelog
@@ -1,9 +1,10 @@
-libreoffice (1:3.5.4+dfsg-3) UNRELEASED; urgency=low
+libreoffice (1:3.5.4+dfsg-3) unstable; urgency=high
* debian/patches/ca-XV-update.diff: update ca-XV translations, thanks
Jordi Mallach
+ * debian/patches/CVE-2012-4233.diff: fix CVE-2012-4233.diff/HTB23106
- -- Rene Engelhard <rene@debian.org> Sun, 09 Sep 2012 14:45:20 +0200
+ -- Rene Engelhard <rene@debian.org> Mon, 08 Oct 2012 15:54:51 +0200
libreoffice (1:3.5.4+dfsg-2) unstable; urgency=low
diff --git a/patches/CVE-2012-4233.diff b/patches/CVE-2012-4233.diff
new file mode 100644
index 0000000..75e1c2e
--- /dev/null
+++ b/patches/CVE-2012-4233.diff
@@ -0,0 +1,370 @@
+From 3c2c2eb46ec70c82ec63ab7cf8096db4cb4fd8a2 Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolanm@redhat.com>
+Date: Thu, 26 Jul 2012 15:35:43 +0000
+Subject: discard broken embedded object previews
+
+Change-Id: I4f632545d383c4887342aa2959987d4ac3638eb4
+---
+diff --git a/svtools/source/misc/embedhlp.cxx b/svtools/source/misc/embedhlp.cxx
+index 6325a76..135ad30 100644
+--- a/svtools/source/misc/embedhlp.cxx
++++ b/svtools/source/misc/embedhlp.cxx
+@@ -52,6 +52,7 @@
+ #include <cppuhelper/implbase4.hxx>
+ #include "vcl/svapp.hxx"
+ #include <rtl/logfile.hxx>
++#include <rtl/oustringostreaminserter.hxx>
+ #include <osl/mutex.hxx>
+
+ using namespace com::sun::star;
+@@ -560,16 +560,25 @@ SvStream* EmbeddedObjectRef::GetGraphicStream( sal_Bool bUpdate ) const
+ {
+ const sal_Int32 nConstBufferSize = 32000;
+ SvStream *pStream = new SvMemoryStream( 32000, 32000 );
+- sal_Int32 nRead=0;
+- uno::Sequence < sal_Int8 > aSequence ( nConstBufferSize );
+- do
++ try
++ {
++ sal_Int32 nRead=0;
++ uno::Sequence < sal_Int8 > aSequence ( nConstBufferSize );
++ do
++ {
++ nRead = xStream->readBytes ( aSequence, nConstBufferSize );
++ pStream->Write( aSequence.getConstArray(), nRead );
++ }
++ while ( nRead == nConstBufferSize );
++ pStream->Seek(0);
++ return pStream;
++ }
++ catch (const uno::Exception& ex)
+ {
+- nRead = xStream->readBytes ( aSequence, nConstBufferSize );
+- pStream->Write( aSequence.getConstArray(), nRead );
++ SAL_WARN("svtools", "discarding broken embedded object preview: " << ex.Message);
++ delete pStream;
++ xStream.clear();
+ }
+- while ( nRead == nConstBufferSize );
+- pStream->Seek(0);
+- return pStream;
+ }
+ }
+
+--
+cgit v0.9.0.2-2-gbebe
+
+From 919632bd5e6ab0e7fab1fccb588e9535df64c75d Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolanm@redhat.com>
+Date: Wed, 08 Aug 2012 20:39:50 +0000
+Subject: validate polypolygon point counts
+
+Change-Id: Ibf6bdf48e5855583f14cd2be36f1e4896a396d32
+---
+diff --git a/svtools/source/filter/wmf/winwmf.cxx b/svtools/source/filter/wmf/winwmf.cxx
+index abcc09b..e2c7421 100644
+--- a/svtools/source/filter/wmf/winwmf.cxx
++++ b/svtools/source/filter/wmf/winwmf.cxx
+@@ -28,6 +28,7 @@
+
+
+ #include "winmtf.hxx"
++#include <boost/scoped_array.hpp>
+ #include <vcl/gdimtf.hxx>
+ #include <svtools/wmf.hxx>
+ #include <rtl/crc.h>
+@@ -354,28 +355,55 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
+
+ case W_META_POLYPOLYGON:
+ {
++ bool bRecordOk = true;
+ sal_uInt16 nPoly = 0;
+ Point* pPtAry;
+ // Number of polygons:
+ *pWMF >> nPoly;
+ // Number of points of each polygon. Determine total number of points
+- sal_uInt16* pnPoints = new sal_uInt16[ nPoly ];
++ boost::scoped_array<sal_uInt16> xPolygonPointCounts(new sal_uInt16[nPoly]);
++ sal_uInt16* pnPoints = xPolygonPointCounts.get();
+ sal_uInt16 nPoints = 0;
+ for(sal_uInt16 i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> pnPoints[i];
++
++ if (pnPoints[i] > SAL_MAX_UINT16 - nPoints)
++ {
++ bRecordOk = false;
++ break;
++ }
++
+ nPoints += pnPoints[i];
+ }
++
++ SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle");
++
++ bRecordOk &= pWMF->good();
++
++ if (!bRecordOk)
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
++
+ // Polygon points are:
+- pPtAry = new Point[nPoints];
++ boost::scoped_array<Point> xPolygonPoints(new Point[nPoints]);
++ pPtAry = xPolygonPoints.get();
+ for (sal_uInt16 i = 0; i < nPoints; i++ )
+ pPtAry[ i ] = ReadPoint();
+
++ bRecordOk &= pWMF->good();
++
++ if (!bRecordOk)
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
++
+ // Produce PolyPolygon Actions
+ PolyPolygon aPolyPoly( nPoly, pnPoints, pPtAry );
+ pOut->DrawPolyPolygon( aPolyPoly );
+- delete[] pPtAry;
+- delete[] pnPoints;
+ }
+ break;
+
+@@ -1329,16 +1357,43 @@ sal_Bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pSt
+
+ case W_META_POLYPOLYGON:
+ {
++ bool bRecordOk = true;
+ sal_uInt16 nPoly, nPoints = 0;
+ *pStm >> nPoly;
+ for(sal_uInt16 i = 0; i < nPoly; i++ )
+ {
+- sal_uInt16 nP;
++ sal_uInt16 nP = 0;
+ *pStm >> nP;
+- nPoints = nPoints + nP;
++ if (nP > SAL_MAX_UINT16 - nPoints)
++ {
++ bRecordOk = false;
++ break;
++ }
++ nPoints += nP;
+ }
++
++ SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons that we can handle");
++
++ bRecordOk &= pStm->good();
++
++ if (!bRecordOk)
++ {
++ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ bRet = sal_False;
++ break;
++ }
++
+ for (sal_uInt16 i = 0; i < nPoints; i++ )
+ GetWinExtMax( ReadPoint(), rPlaceableBound, nMapMode );
++
++ bRecordOk &= pStm->good();
++
++ if (!bRecordOk)
++ {
++ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ bRet = sal_False;
++ break;
++ }
+ }
+ break;
+
+--
+cgit v0.9.0.2-2-gbebe
+
+From b61dd408981b4dc8a3e97edd806694e43da882e4 Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolanm@redhat.com>
+Date: Thu, 09 Aug 2012 08:59:38 +0000
+Subject: ensure placeholder substitution on XclImpDrawObjBase::ReadObj8 failure
+
+Change-Id: I7a72153d971aaccea937955acc77cdba128985d7
+---
+diff --git a/sc/source/filter/excel/xiescher.cxx b/sc/source/filter/excel/xiescher.cxx
+index 74ed03b..900d2e6 100644
+--- a/sc/source/filter/excel/xiescher.cxx
++++ b/sc/source/filter/excel/xiescher.cxx
+@@ -336,7 +336,7 @@ XclImpDrawObjRef XclImpDrawObjBase::ReadObj8( const XclImpRoot& rRoot, XclImpStr
+
+ if( rStrm.GetRecLeft() >= 10 )
+ {
+- sal_uInt16 nSubRecId, nSubRecSize, nObjType;
++ sal_uInt16 nSubRecId(0), nSubRecSize(0), nObjType(0);
+ rStrm >> nSubRecId >> nSubRecSize >> nObjType;
+ OSL_ENSURE( nSubRecId == EXC_ID_OBJCMO, "XclImpDrawObjBase::ReadObj8 - OBJCMO subrecord expected" );
+ if( (nSubRecId == EXC_ID_OBJCMO) && (nSubRecSize >= 6) )
+@@ -379,11 +379,16 @@ XclImpDrawObjRef XclImpDrawObjBase::ReadObj8( const XclImpRoot& rRoot, XclImpStr
+ default:
+ OSL_TRACE( "XclImpDrawObjBase::ReadObj8 - unknown object type 0x%04hX", nObjType );
+ rRoot.GetTracer().TraceUnsupportedObjects();
+- xDrawObj.reset( new XclImpPhObj( rRoot ) );
+ }
+ }
+ }
+
++ if (!xDrawObj) //ensure placeholder for unknown or broken records
++ {
++ SAL_WARN( "sc", "XclImpDrawObjBase::ReadObj8 import failed, substituting placeholder");
++ xDrawObj.reset( new XclImpPhObj( rRoot ) );
++ }
++
+ xDrawObj->mnTab = rRoot.GetCurrScTab();
+ xDrawObj->ImplReadObj8( rStrm );
+ return xDrawObj;
+--
+cgit v0.9.0.2-2-gbebe
+
+From de9acff682c036f7e0f24427098a14042371b155 Mon Sep 17 00:00:00 2001
+From: Caolán McNamara <caolanm@redhat.com>
+Date: Wed, 15 Aug 2012 16:02:29 +0000
+Subject: merge in various filter work from core
+
+Change-Id: I14ca1319e7e96941037450aee59d7a926d290c71
+---
+diff --git a/binfilter/bf_svtools/source/filter.vcl/igif/svt_gifread.cxx b/binfilter/bf_svtools/source/filter.vcl/igif/svt_gifread.cxx
+index 511b1a2..5f3c5b8 100644
+--- a/binfilter/bf_svtools/source/filter.vcl/igif/svt_gifread.cxx
++++ b/binfilter/bf_svtools/source/filter.vcl/igif/svt_gifread.cxx
+@@ -44,6 +44,10 @@ GIFReader::GIFReader( SvStream& rStm ) :
+ nLastPos ( rStm.Tell() ),
+ nLogWidth100 ( 0UL ),
+ nLogHeight100 ( 0UL ),
++ nGlobalWidth ( 0 ),
++ nGlobalHeight ( 0 ),
++ nImageWidth ( 0 ),
++ nImageHeight ( 0 ),
+ nLoops ( 1 ),
+ eActAction ( GLOBAL_HEADER_READING ),
+ bGCTransparent ( FALSE ),
+diff --git a/binfilter/bf_svtools/source/filter.vcl/wmf/svt_winwmf.cxx b/binfilter/bf_svtools/source/filter.vcl/wmf/svt_winwmf.cxx
+index d617a99..7934b87 100644
+--- a/binfilter/bf_svtools/source/filter.vcl/wmf/svt_winwmf.cxx
++++ b/binfilter/bf_svtools/source/filter.vcl/wmf/svt_winwmf.cxx
+@@ -27,6 +27,7 @@
+ ************************************************************************/
+
+ #include "winmtf.hxx"
++#include <boost/scoped_array.hpp>
+ #include <rtl/crc.h>
+ #include <rtl/tencinfo.h>
+ #include <osl/endian.h>
+@@ -320,28 +321,54 @@ void WMFReader::ReadRecordParams( USHORT nFunc )
+
+ case W_META_POLYPOLYGON:
+ {
+- USHORT i, nPoly, nPoints;
+- USHORT* pnPoints;
++ bool bRecordOk = true;
++ USHORT i, nPoly = 0, nPoints = 0;
+ Point* pPtAry;
+ // Anzahl der Polygone:
+ *pWMF >> nPoly;
+ // Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+- pnPoints = new USHORT[ nPoly ];
+- nPoints = 0;
++ boost::scoped_array<USHORT> xPolygonPointCounts(new USHORT[nPoly]);
++ USHORT* pnPoints = xPolygonPointCounts.get();
+ for( i = 0; i < nPoly; i++ )
+ {
+ *pWMF >> pnPoints[i];
+- nPoints = nPoints + pnPoints[i];
++
++ if (pnPoints[i] > SAL_MAX_UINT16 - nPoints)
++ {
++ bRecordOk = false;
++ break;
++ }
++
++ nPoints += pnPoints[i];
+ }
++
++ SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons than we can handle");
++
++ bRecordOk &= pWMF->good();
++
++ if (!bRecordOk)
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
++
+ // Polygonpunkte holen:
+- pPtAry = (Point*) new char[ nPoints * sizeof(Point) ];
++ boost::scoped_array<Point> xPolygonPoints(new Point[nPoints]);
++ pPtAry = xPolygonPoints.get();
+ for ( i = 0; i < nPoints; i++ )
+ pPtAry[ i ] = ReadPoint();
++
++ bRecordOk &= pWMF->good();
++
++ if (!bRecordOk)
++ {
++ pWMF->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ break;
++ }
++
+ // PolyPolygon Actions erzeugen
+ PolyPolygon aPolyPoly( nPoly, pnPoints, pPtAry );
+ pOut->DrawPolyPolygon( aPolyPoly );
+- delete[] (char*) pPtAry;
+- delete[] pnPoints;
+ }
+ break;
+
+@@ -1171,16 +1198,44 @@ sal_Bool WMFReader::GetPlaceableBound( Rectangle& rPlaceableBound, SvStream* pSt
+
+ case W_META_POLYPOLYGON:
+ {
++ bool bRecordOk = true;
+ USHORT i, nPoly, nPoints = 0;
+ *pStm >> nPoly;
+ for( i = 0; i < nPoly; i++ )
+ {
+- sal_uInt16 nP;
++ sal_uInt16 nP = 0;
+ *pStm >> nP;
+ nPoints = nPoints + nP;
++ if (nP > SAL_MAX_UINT16 - nPoints)
++ {
++ bRecordOk = false;
++ break;
++ }
++ nPoints += nP;
+ }
++
++ SAL_WARN_IF(!bRecordOk, "svtools", "polypolygon record has more polygons than we can handle");
++
++ bRecordOk &= pStm->good();
++
++ if (!bRecordOk)
++ {
++ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ bRet = sal_False;
++ break;
++ }
++
+ for ( i = 0; i < nPoints; i++ )
+ GetWinExtMax( ReadPoint(), rPlaceableBound, nMapMode );
++
++ bRecordOk &= pStm->good();
++
++ if (!bRecordOk)
++ {
++ pStm->SetError( SVSTREAM_FILEFORMAT_ERROR );
++ bRet = sal_False;
++ break;
++ }
+ }
+ break;
+
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/patches/series b/patches/series
index 2ed9603..8a759f9 100644
--- a/patches/series
+++ b/patches/series
@@ -45,3 +45,4 @@ CVE-2012-2334-clip-max-entries.diff
CVE-2012-2665.diff
CVE-2012-2665-binfilter.diff
ca-XV-update.diff
+CVE-2012-4233.diff
--
LibreOffice packaging repository
Reply to: