[libreoffice] 01/01: add 1:4.3.3-2+deb8u2 (jessie-security) changes
This is an automated email from the git hooks/post-receive script.
rene pushed a commit to branch debian-jessie-4.3.3
in repository libreoffice.
commit 6b1e0b5a5e719eeafb1ec7871b874331b3dc0fa5
Author: Rene Engelhard <rene@debian.org>
Date: Thu Nov 5 21:22:24 2015 +0100
add 1:4.3.3-2+deb8u2 (jessie-security) changes
---
changelog | 17 +++
patches/CVE-2015-4551.diff | 232 ++++++++++++++++++++++++++++++++++++
patches/coverity-1266485.diff | 95 +++++++++++++++
patches/pStatus-vector-offsets.diff | 85 +++++++++++++
patches/series | 4 +
patches/ww8dontwrap.diff | 35 ++++++
6 files changed, 468 insertions(+)
diff --git a/changelog b/changelog
index e248faf..a35bb71 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,20 @@
+libreoffice (1:4.3.3-2+deb8u2) jessie-security; urgency=high
+
+ * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary
+ file disclosure vulnerability (CVE-2014-4551) from libreoffice-4-4-4
+ branch
+ * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter"
+ Invalid Check Design Error Vulnerability' (CVE-2015-5213), from
+ libreoffice-4-4-5 branch
+ * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup
+ Length" Integer Underflow Vulnerability' (CVE-2015-5212),
+ from libreoffice-4-4-5 branch
+ * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark
+ Status Memory Corruption Vulnerability' (CVE-2015-5214),
+ from libreoffice-4-4 branch
+
+ -- Rene Engelhard <rene@debian.org> Fri, 28 Aug 2015 16:09:50 +0200
+
libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high
* debian/patches/hwpreader-check-reads.patch: fix
diff --git a/patches/CVE-2015-4551.diff b/patches/CVE-2015-4551.diff
new file mode 100644
index 0000000..1454655
--- /dev/null
+++ b/patches/CVE-2015-4551.diff
@@ -0,0 +1,232 @@
+diff --git a/include/unotools/securityoptions.hxx b/include/unotools/securityoptions.hxx
+index 3bd8807..77e4720 100644
+--- a/include/unotools/securityoptions.hxx
++++ b/include/unotools/securityoptions.hxx
+@@ -186,6 +186,8 @@ class UNOTOOLS_DLLPUBLIC SAL_WARN_UNUSED SvtSecurityOptions : public utl::detail
+ */
+ bool isTrustedLocationUri(OUString const & uri) const;
+
++ bool isTrustedLocationUriForUpdatingLinks(OUString const & uri) const;
++
+ ::com::sun::star::uno::Sequence< Certificate > GetTrustedAuthors ( ) const;
+ void SetTrustedAuthors ( const ::com::sun::star::uno::Sequence< Certificate >& rAuthors );
+
+diff --git a/sc/source/filter/xml/xmlimprt.cxx b/sc/source/filter/xml/xmlimprt.cxx
+index e1b73fe..c5f1ef5 100644
+--- a/sc/source/filter/xml/xmlimprt.cxx
++++ b/sc/source/filter/xml/xmlimprt.cxx
+@@ -2628,6 +2628,9 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+ OUString sCTName("TrackedChangesProtectionKey");
+ OUString sVBName("VBACompatibilityMode");
+ OUString sSCName("ScriptConfiguration");
++ css::uno::Sequence<css::beans::PropertyValue> aFilteredProps(
++ aConfigProps.getLength());
++ sal_Int32 nFilteredPropsLen = 0;
+ for (sal_Int32 i = nCount - 1; i >= 0; --i)
+ {
+ if (aConfigProps[i].Name == sCTName)
+@@ -2662,11 +2665,16 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+ xImportInfo->setPropertyValue( aConfigProps[i].Name, aConfigProps[i].Value );
+ }
+ }
++ if (aConfigProps[i].Name != "LinkUpdateMode")
++ {
++ aFilteredProps[nFilteredPropsLen++] = aConfigProps[i];
++ }
+ }
++ aFilteredProps.realloc(nFilteredPropsLen);
+ uno::Reference <uno::XInterface> xInterface = xMultiServiceFactory->createInstance("com.sun.star.comp.SpreadsheetSettings");
+ uno::Reference <beans::XPropertySet> xProperties(xInterface, uno::UNO_QUERY);
+ if (xProperties.is())
+- SvXMLUnitConverter::convertPropertySet(xProperties, aConfigProps);
++ SvXMLUnitConverter::convertPropertySet(xProperties, aFilteredProps);
+ }
+ }
+ }
+diff --git a/sc/source/ui/docshell/docsh4.cxx b/sc/source/ui/docshell/docsh4.cxx
+index dd9eaf8..9e4a27b 100644
+--- a/sc/source/ui/docshell/docsh4.cxx
++++ b/sc/source/ui/docshell/docsh4.cxx
+@@ -48,6 +48,7 @@ using namespace ::com::sun::star;
+ #include <svl/PasswordHelper.hxx>
+ #include <svl/documentlockfile.hxx>
+ #include <svl/sharecontrolfile.hxx>
++#include <unotools/securityoptions.hxx>
+
+ #include <comphelper/processfactory.hxx>
+ #include "docuno.hxx"
+@@ -423,12 +424,23 @@ void ScDocShell::Execute( SfxRequest& rReq )
+
+ if (nCanUpdate == com::sun::star::document::UpdateDocMode::NO_UPDATE)
+ nSet = LM_NEVER;
+- else if (nCanUpdate == com::sun::star::document::UpdateDocMode::QUIET_UPDATE &&
+- nSet == LM_ON_DEMAND)
+- nSet = LM_NEVER;
+ else if (nCanUpdate == com::sun::star::document::UpdateDocMode::FULL_UPDATE)
+ nSet = LM_ALWAYS;
+
++ if (nSet == LM_ALWAYS
++ && !(SvtSecurityOptions()
++ .isTrustedLocationUriForUpdatingLinks(
++ GetMedium() == nullptr
++ ? OUString() : GetMedium()->GetName())))
++ {
++ nSet = LM_ON_DEMAND;
++ }
++ if (nCanUpdate == css::document::UpdateDocMode::QUIET_UPDATE
++ && nSet == LM_ON_DEMAND)
++ {
++ nSet = LM_NEVER;
++ }
++
+ if(nSet==LM_ON_DEMAND)
+ {
+ QueryBox aBox( GetActiveDialogParent(), WinBits(WB_YES_NO | WB_DEF_YES),
+diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx
+index d42dd9f..6f0e94e 100644
+--- a/sw/source/core/doc/docnew.cxx
++++ b/sw/source/core/doc/docnew.cxx
+@@ -103,6 +103,8 @@
+ #include <fmtmeta.hxx>
+ #include <boost/foreach.hpp>
+
++#include <unotools/securityoptions.hxx>
++
+ using namespace ::com::sun::star;
+ using namespace ::com::sun::star::document;
+
+@@ -889,6 +889,15 @@ void SwDoc::UpdateLinks( bool bUI )
+ case document::UpdateDocMode::QUIET_UPDATE:bAskUpdate = false; break;
+ case document::UpdateDocMode::FULL_UPDATE: bAskUpdate = true; break;
+ }
++ if (nLinkMode == AUTOMATIC && !bAskUpdate)
++ {
++ SfxMedium * medium = GetDocShell()->GetMedium();
++ if (!SvtSecurityOptions().isTrustedLocationUriForUpdatingLinks(
++ medium == nullptr ? OUString() : medium->GetName()))
++ {
++ bAskUpdate = true;
++ }
++ }
+ if( bUpdate && (bUI || !bAskUpdate) )
+ {
+ SfxMedium* pMedium = GetDocShell()->GetMedium();
+diff --git a/sw/source/filter/xml/xmlimp.cxx b/sw/source/filter/xml/xmlimp.cxx
+index 3af249c..53301e7 100644
+--- a/sw/source/filter/xml/xmlimp.cxx
++++ b/sw/source/filter/xml/xmlimp.cxx
+@@ -1072,45 +1072,45 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+ if( !xInfo.is() )
+ return;
+
+- boost::unordered_set< OUString, OUStringHash > aSet;
+- aSet.insert("ForbiddenCharacters");
+- aSet.insert("IsKernAsianPunctuation");
+- aSet.insert("CharacterCompressionType");
+- aSet.insert("LinkUpdateMode");
+- aSet.insert("FieldAutoUpdate");
+- aSet.insert("ChartAutoUpdate");
+- aSet.insert("AddParaTableSpacing");
+- aSet.insert("AddParaTableSpacingAtStart");
+- aSet.insert("PrintAnnotationMode");
+- aSet.insert("PrintBlackFonts");
+- aSet.insert("PrintControls");
+- aSet.insert("PrintDrawings");
+- aSet.insert("PrintGraphics");
+- aSet.insert("PrintLeftPages");
+- aSet.insert("PrintPageBackground");
+- aSet.insert("PrintProspect");
+- aSet.insert("PrintReversed");
+- aSet.insert("PrintRightPages");
+- aSet.insert("PrintFaxName");
+- aSet.insert("PrintPaperFromSetup");
+- aSet.insert("PrintTables");
+- aSet.insert("PrintSingleJobs");
+- aSet.insert("UpdateFromTemplate");
+- aSet.insert("PrinterIndependentLayout");
+- aSet.insert("PrintEmptyPages");
+- aSet.insert("SmallCapsPercentage66");
+- aSet.insert("TabOverflow");
+- aSet.insert("UnbreakableNumberings");
+- aSet.insert("ClippedPictures");
+- aSet.insert("BackgroundParaOverDrawings");
+- aSet.insert("TabOverMargin");
++ boost::unordered_set< OUString, OUStringHash > aExcludeAlways;
++ aExcludeAlways.insert("LinkUpdateMode");
++ boost::unordered_set< OUString, OUStringHash > aExcludeWhenNotLoadingUserSettings;
++ aExcludeWhenNotLoadingUserSettings.insert("ForbiddenCharacters");
++ aExcludeWhenNotLoadingUserSettings.insert("IsKernAsianPunctuation");
++ aExcludeWhenNotLoadingUserSettings.insert("CharacterCompressionType");
++ aExcludeWhenNotLoadingUserSettings.insert("FieldAutoUpdate");
++ aExcludeWhenNotLoadingUserSettings.insert("ChartAutoUpdate");
++ aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacing");
++ aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacingAtStart");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintAnnotationMode");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintBlackFonts");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintControls");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintDrawings");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintGraphics");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintLeftPages");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintPageBackground");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintProspect");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintReversed");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintRightPages");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintFaxName");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintPaperFromSetup");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintTables");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintSingleJobs");
++ aExcludeWhenNotLoadingUserSettings.insert("UpdateFromTemplate");
++ aExcludeWhenNotLoadingUserSettings.insert("PrinterIndependentLayout");
++ aExcludeWhenNotLoadingUserSettings.insert("PrintEmptyPages");
++ aExcludeWhenNotLoadingUserSettings.insert("SmallCapsPercentage66");
++ aExcludeWhenNotLoadingUserSettings.insert("TabOverflow");
++ aExcludeWhenNotLoadingUserSettings.insert("UnbreakableNumberings");
++ aExcludeWhenNotLoadingUserSettings.insert("ClippedPictures");
++ aExcludeWhenNotLoadingUserSettings.insert("BackgroundParaOverDrawings");
++ aExcludeWhenNotLoadingUserSettings.insert("TabOverMargin");
+
+ sal_Int32 nCount = aConfigProps.getLength();
+ const PropertyValue* pValues = aConfigProps.getConstArray();
+
+ SvtSaveOptions aSaveOpt;
+- bool bIsUserSetting = aSaveOpt.IsLoadUserSettings(),
+- bSet = bIsUserSetting;
++ bool bIsUserSetting = aSaveOpt.IsLoadUserSettings();
+
+ // for some properties we don't want to use the application
+ // default if they're missing. So we watch for them in the loop
+@@ -1145,10 +1145,12 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+
+ while( nCount-- )
+ {
+- if( !bIsUserSetting )
++ bool bSet = aExcludeAlways.find(pValues->Name) == aExcludeAlways.end();
++ if( bSet && !bIsUserSetting
++ && (aExcludeWhenNotLoadingUserSettings.find(pValues->Name)
++ != aExcludeWhenNotLoadingUserSettings.end()) )
+ {
+- // test over the hash value if the entry is in the table.
+- bSet = aSet.find(pValues->Name) == aSet.end();
++ bSet = false;
+ }
+
+ if( bSet )
+diff --git a/unotools/source/config/securityoptions.cxx b/unotools/source/config/securityoptions.cxx
+index 7906ed7..86055c5 100644
+--- a/unotools/source/config/securityoptions.cxx
++++ b/unotools/source/config/securityoptions.cxx
+@@ -1051,6 +1051,14 @@ bool SvtSecurityOptions::isTrustedLocationUri(OUString const & uri) const {
+ return false;
+ }
+
++bool SvtSecurityOptions::isTrustedLocationUriForUpdatingLinks(
++ OUString const & uri) const
++{
++ return GetMacroSecurityLevel() == 0 || uri.isEmpty()
++ || uri.startsWithIgnoreAsciiCase("private:")
++ || isTrustedLocationUri(uri);
++}
++
+ sal_Int32 SvtSecurityOptions::GetMacroSecurityLevel() const
+ {
+ MutexGuard aGuard( GetInitMutex() );
diff --git a/patches/coverity-1266485.diff b/patches/coverity-1266485.diff
new file mode 100644
index 0000000..df67123
--- /dev/null
+++ b/patches/coverity-1266485.diff
@@ -0,0 +1,95 @@
+From 9051d3b59cf6e5fd590506bb86bfb8929d3024c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 26 Jan 2015 11:26:41 +0000
+Subject: coverity#1266485 Untrusted value as argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
+(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
+
+min legal size here is > 4
+
+(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
+
+Change-Id: I9f68d000b32623db4d949d13284043630f5689f4
+(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
+Reviewed-on: https://gerrit.libreoffice.org/16984
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Björn Michaelsen <bjoern.michaelsen@canonical.com>
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+Tested-by: Michael Meeks <michael.meeks@collabora.com>
+
+diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
+index ec1f44f..c67255e 100644
+--- a/vcl/source/gdi/jobset.cxx
++++ b/vcl/source/gdi/jobset.cxx
+@@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+ DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
+
+ {
+- sal_Size nFirstPos = rIStream.Tell();
+-
+ sal_uInt16 nLen = 0;
+ rIStream.ReadUInt16( nLen );
+- if ( !nLen )
++ if (nLen <= 4)
+ return rIStream;
+
+ sal_uInt16 nSystem = 0;
+ rIStream.ReadUInt16( nSystem );
+-
+- boost::scoped_array<char> pTempBuf(new char[nLen]);
+- rIStream.Read( pTempBuf.get(), nLen - sizeof( nLen ) - sizeof( nSystem ) );
+- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
++ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
++ if (nRead > rIStream.remainingSize())
++ {
++ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
++ " max possible entries, but " << nRead << " claimed, truncating");
++ return rIStream;
++ }
++ sal_Size nFirstPos = rIStream.Tell();
++ boost::scoped_array<char> pTempBuf(new char[nRead]);
++ rIStream.Read(pTempBuf.get(), nRead);
++ if (nRead >= sizeof(ImplOldJobSetupData))
+ {
+ ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
+ if ( rJobSetup.mpData )
+@@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+ nSystem == JOBSET_FILE605_SYSTEM )
+ {
+ Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
+- sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
++ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
+ pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem );
+ pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
+ pJobData->meOrientation = (Orientation)SVBT16ToShort( pOldJobData->nOrientation );
+@@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+ }
+ if( nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+- while( rIStream.Tell() < nFirstPos + nLen )
++ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++ while( rIStream.Tell() < nFirstPos + nRead )
+ {
+ OUString aKey = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
+ OUString aValue = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
+@@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+ else
+ pJobData->maValueMap[ aKey ] = aValue;
+ }
+- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
++ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
+ // ensure correct stream position
+- rIStream.Seek( nFirstPos + nLen );
++ rIStream.Seek(nFirstPos + nRead);
+ }
+ }
+ }
+--
+cgit v0.10.2
+
diff --git a/patches/pStatus-vector-offsets.diff b/patches/pStatus-vector-offsets.diff
new file mode 100644
index 0000000..67346c3
--- /dev/null
+++ b/patches/pStatus-vector-offsets.diff
@@ -0,0 +1,85 @@
+From 92c3a5b80ac575e1c538894b7c1a4170093785b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 13 Aug 2015 10:58:06 +0100
+Subject: convert pStatus to vector and use at to check offsets
+
+(cherry picked from commit ea70088895ed45dc60abf18319acc1b4fa3018dd)
+
+Change-Id: I5186f6a65bb9d5ed8a0d1ab1d71f7e2c13865411
+Reviewed-on: https://gerrit.libreoffice.org/17695
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 93583c4..f243e4b 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -3972,7 +3972,7 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen
+ }
+
+ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+- : WW8PLCFx(rFib.GetFIBVersion(), false), pStatus(0), nIsEnd(0), nBookmarkId(1)
++ : WW8PLCFx(rFib.GetFIBVersion(), false), nIsEnd(0), nBookmarkId(1)
+ {
+ if( !rFib.fcPlcfbkf || !rFib.lcbPlcfbkf || !rFib.fcPlcfbkl ||
+ !rFib.lcbPlcfbkl || !rFib.fcSttbfbkmk || !rFib.lcbSttbfbkmk )
+@@ -3997,14 +3997,12 @@ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+ nIMax = pBook[0]->GetIMax();
+ if( pBook[1]->GetIMax() < nIMax )
+ nIMax = pBook[1]->GetIMax();
+- pStatus = new eBookStatus[ nIMax ];
+- memset( pStatus, 0, nIMax * sizeof( eBookStatus ) );
++ aStatus.resize(nIMax);
+ }
+ }
+
+ WW8PLCFx_Book::~WW8PLCFx_Book()
+ {
+- delete[] pStatus;
+ delete pBook[1];
+ delete pBook[0];
+ }
+@@ -4122,18 +4120,20 @@ long WW8PLCFx_Book::GetLen() const
+ return nNum;
+ }
+
+-void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat )
++void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat)
+ {
+- OSL_ENSURE(nIndex < nIMax, "set status of non existing bookmark!");
+- pStatus[nIndex] = (eBookStatus)( pStatus[nIndex] | eStat );
++ SAL_WARN_IF(nIndex >= nIMax, "sw.ww8",
++ "bookmark index " << nIndex << " invalid");
++ eBookStatus eStatus = aStatus.at(nIndex);
++ aStatus[nIndex] = static_cast<eBookStatus>(eStatus | eStat);
+ }
+
+ eBookStatus WW8PLCFx_Book::GetStatus() const
+ {
+- if( !pStatus )
++ if (aStatus.empty())
+ return BOOK_NORMAL;
+ long nEndIdx = GetHandle();
+- return ( nEndIdx < nIMax ) ? pStatus[nEndIdx] : BOOK_NORMAL;
++ return ( nEndIdx < nIMax ) ? aStatus[nEndIdx] : BOOK_NORMAL;
+ }
+
+ long WW8PLCFx_Book::GetHandle() const
+diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
+index ed4d496..747fdff 100644
+--- a/sw/source/filter/ww8/ww8scan.hxx
++++ b/sw/source/filter/ww8/ww8scan.hxx
+@@ -734,8 +734,8 @@ class WW8PLCFx_Book : public WW8PLCFx
+ {
+ private:
+ WW8PLCFspecial* pBook[2]; // Start and End Position
+- ::std::vector<OUString> aBookNames; // Name
+- eBookStatus* pStatus;
++ std::vector<OUString> aBookNames; // Name
++ std::vector<eBookStatus> aStatus;
+ long nIMax; // Number of Booknotes
+ sal_uInt16 nIsEnd;
+ sal_Int32 nBookmarkId; // counter incremented by GetUniqueBookmarkName.
+--
+cgit v0.10.2
+
diff --git a/patches/series b/patches/series
index 4ba158a..daad6bc 100644
--- a/patches/series
+++ b/patches/series
@@ -37,3 +37,7 @@ lt-LT-euro-translations.diff
euro-wizard-ods-not-sxc.diff
backport-rtf-fixes.diff
hwpreader-check-reads.diff
+CVE-2015-4551.diff
+ww8dontwrap.diff
+coverity-1266485.diff
+pStatus-vector-offsets.diff
diff --git a/patches/ww8dontwrap.diff b/patches/ww8dontwrap.diff
new file mode 100644
index 0000000..bb542b7
--- /dev/null
+++ b/patches/ww8dontwrap.diff
@@ -0,0 +1,35 @@
+From fae8b7dfeb081c050867fb891d9acf0fdd2a6d36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Jul 2015 10:31:30 +0100
+Subject: ww8: make sure we don't wrap around
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
+(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
+Reviewed-on: https://gerrit.libreoffice.org/16982
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+Tested-by: Michael Meeks <michael.meeks@collabora.com>
+Reviewed-by: Björn Michaelsen <bjoern.michaelsen@canonical.com>
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 449bef4..8c3d979 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1540,7 +1540,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
+ if( 2 == clxt ) // PLCFfpcd ?
+ break; // PLCFfpcd gefunden
+ if( 1 == clxt ) // clxtGrpprl ?
++ {
++ if (nGrpprl == SHRT_MAX)
++ return NULL;
+ nGrpprl++;
++ }
+ sal_uInt16 nLen(0);
+ pStr->ReadUInt16( nLen );
+ nLeft -= 2 + nLen;
+--
+cgit v0.10.2
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: