[libreoffice] 03/03: add fixes for ww8 wrapping and coverity#1266485
This is an automated email from the git hooks/post-receive script.
sweetshark-guest pushed a commit to branch ubuntu-trusty-4.2
in repository libreoffice.
commit d1ca34af3c107ad64f9deb7b69ac76e8d3d2f135
Author: Bjoern Michaelsen <bjoern.michaelsen@canonical.com>
Date: Mon Jul 13 17:35:18 2015 +0200
add fixes for ww8 wrapping and coverity#1266485
---
changelog | 6 +++
patches/coverity-1266485.diff | 112 ++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
patches/ww8dontwrap.diff | 32 ++++++++++++
4 files changed, 152 insertions(+)
diff --git a/changelog b/changelog
index 2113b5e..d4b5cc4 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+libreoffice (1:4.2.8-0ubuntu3~trusty2) trusty; urgency=medium
+
+ * add fixes for ww8 wrapping and coverity#1266485
+
+ -- Bjoern Michaelsen <bjoern.michaelsen@canonical.com> Mon, 13 Jul 2015 17:30:25 +0200
+
libreoffice (1:4.2.8-0ubuntu3~trusty1) trusty; urgency=medium
* add fix for link updates
diff --git a/patches/coverity-1266485.diff b/patches/coverity-1266485.diff
new file mode 100644
index 0000000..9c7f7f3
--- /dev/null
+++ b/patches/coverity-1266485.diff
@@ -0,0 +1,112 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 26 Jan 2015 11:26:41 +0000
+Subject: [PATCH] coverity#1266485 Untrusted value as argument
+
+(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
+
+min legal size here is > 4
+
+(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
+
+(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
+Reviewed-on: https://gerrit.libreoffice.org/16983
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Conflicts:
+ vcl/source/gdi/jobset.cxx
+
+9f68d000b32623db4d949d13284043630f5689f4
+
+Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
+---
+ vcl/source/gdi/jobset.cxx | 35 ++++++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
+--- a/vcl/source/gdi/jobset.cxx
++++ b/vcl/source/gdi/jobset.cxx
+@@ -22,6 +22,7 @@
+ #include <tools/debug.hxx>
+ #include <tools/stream.hxx>
+ #include <vcl/jobset.hxx>
++#include <boost/scoped_array.hpp>
+
+ #include <jobset.h>
+
+@@ -235,21 +236,26 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
+
+ {
+- sal_Size nFirstPos = rIStream.Tell();
+-
+ sal_uInt16 nLen = 0;
+ rIStream >> nLen;
+- if ( !nLen )
++ if (nLen <= 4)
+ return rIStream;
+
+ sal_uInt16 nSystem = 0;
+ rIStream >> nSystem;
+-
+- char* pTempBuf = new char[nLen];
+- rIStream.Read( pTempBuf, nLen - sizeof( nLen ) - sizeof( nSystem ) );
+- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
++ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
++ if (nRead > rIStream.remainingSize())
++ {
++ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
++ " max possible entries, but " << nRead << " claimed, truncating");
++ return rIStream;
++ }
++ sal_Size nFirstPos = rIStream.Tell();
++ boost::scoped_array<char> pTempBuf(new char[nRead]);
++ rIStream.Read(pTempBuf.get(), nRead);
++ if (nRead >= sizeof(ImplOldJobSetupData))
+ {
+- ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf;
++ ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
+ if ( rJobSetup.mpData )
+ {
+ if ( rJobSetup.mpData->mnRefCount == 1 )
+@@ -271,8 +277,8 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ if ( nSystem == JOBSET_FILE364_SYSTEM ||
+ nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf + sizeof( ImplOldJobSetupData ));
+- sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
++ Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
++ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
+ pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem );
+ pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
+ pJobData->meOrientation = (Orientation)SVBT16ToShort( pOldJobData->nOrientation );
+@@ -289,8 +295,8 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ }
+ if( nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+- while( rIStream.Tell() < nFirstPos + nLen )
++ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++ while( rIStream.Tell() < nFirstPos + nRead )
+ {
+ OUString aKey = read_lenPrefixed_uInt8s_ToOUString<sal_uInt16>(rIStream, RTL_TEXTENCODING_UTF8);
+ OUString aValue = read_lenPrefixed_uInt8s_ToOUString<sal_uInt16>(rIStream, RTL_TEXTENCODING_UTF8);
+@@ -308,13 +314,12 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ else
+ pJobData->maValueMap[ aKey ] = aValue;
+ }
+- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
++ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
+ // ensure correct stream position
+- rIStream.Seek( nFirstPos + nLen );
++ rIStream.Seek(nFirstPos + nRead);
+ }
+ }
+ }
+- delete[] pTempBuf;
+ }
+
+ return rIStream;
+--
+1.9.1
+
diff --git a/patches/series b/patches/series
index 0778fe2..5cdf12b 100644
--- a/patches/series
+++ b/patches/series
@@ -37,3 +37,5 @@ lp-1342175.diff
lp-1372799.diff
check-if-reads-were-successful.diff
LinkUpdateMode-is-a-global-setting.diff
+ww8dontwrap.diff
+coverity-1266485.diff
diff --git a/patches/ww8dontwrap.diff b/patches/ww8dontwrap.diff
new file mode 100644
index 0000000..debc26d
--- /dev/null
+++ b/patches/ww8dontwrap.diff
@@ -0,0 +1,32 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Jul 2015 10:31:30 +0100
+Subject: [PATCH] ww8: make sure we don't wrap around
+
+(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
+Reviewed-on: https://gerrit.libreoffice.org/16981
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
+---
+ sw/source/filter/ww8/ww8scan.cxx | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1519,7 +1519,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
+ if( 2 == clxt ) // PLCFfpcd ?
+ break; // PLCFfpcd gefunden
+ if( 1 == clxt ) // clxtGrpprl ?
++ {
++ if (nGrpprl == SHRT_MAX)
++ return NULL;
+ nGrpprl++;
++ }
+ sal_uInt16 nLen(0);
+ *pStr >> nLen;
+ nLeft -= 2 + nLen;
+--
+1.9.1
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: