[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[libreoffice] 01/01: add 1:4.3.3-2+deb8u2 (jessie-security) changes



This is an automated email from the git hooks/post-receive script.

rene pushed a commit to branch debian-jessie-4.3.3
in repository libreoffice.

commit 6b1e0b5a5e719eeafb1ec7871b874331b3dc0fa5
Author: Rene Engelhard <rene@debian.org>
Date:   Thu Nov 5 21:22:24 2015 +0100

    add 1:4.3.3-2+deb8u2 (jessie-security) changes
---
 changelog                           |  17 +++
 patches/CVE-2015-4551.diff          | 232 ++++++++++++++++++++++++++++++++++++
 patches/coverity-1266485.diff       |  95 +++++++++++++++
 patches/pStatus-vector-offsets.diff |  85 +++++++++++++
 patches/series                      |   4 +
 patches/ww8dontwrap.diff            |  35 ++++++
 6 files changed, 468 insertions(+)

diff --git a/changelog b/changelog
index e248faf..a35bb71 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,20 @@
+libreoffice (1:4.3.3-2+deb8u2) jessie-security; urgency=high
+
+  * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary
+    file disclosure vulnerability (CVE-2014-4551) from libreoffice-4-4-4
+    branch
+  * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter"
+    Invalid Check Design Error Vulnerability' (CVE-2015-5213), from
+    libreoffice-4-4-5 branch
+  * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup
+    Length" Integer Underflow Vulnerability' (CVE-2015-5212),
+    from libreoffice-4-4-5 branch
+  * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark
+    Status Memory Corruption Vulnerability' (CVE-2015-5214),
+    from libreoffice-4-4 branch
+
+ -- Rene Engelhard <rene@debian.org>  Fri, 28 Aug 2015 16:09:50 +0200
+
 libreoffice (1:4.3.3-2+deb8u1) unstable; urgency=high
 
   * debian/patches/hwpreader-check-reads.patch: fix
diff --git a/patches/CVE-2015-4551.diff b/patches/CVE-2015-4551.diff
new file mode 100644
index 0000000..1454655
--- /dev/null
+++ b/patches/CVE-2015-4551.diff
@@ -0,0 +1,232 @@
+diff --git a/include/unotools/securityoptions.hxx b/include/unotools/securityoptions.hxx
+index 3bd8807..77e4720 100644
+--- a/include/unotools/securityoptions.hxx
++++ b/include/unotools/securityoptions.hxx
+@@ -186,6 +186,8 @@ class UNOTOOLS_DLLPUBLIC SAL_WARN_UNUSED SvtSecurityOptions : public utl::detail
+         */
+         bool isTrustedLocationUri(OUString const & uri) const;
+ 
++        bool isTrustedLocationUriForUpdatingLinks(OUString const & uri) const;
++
+         ::com::sun::star::uno::Sequence< Certificate >  GetTrustedAuthors       (                                                                   ) const;
+         void                                            SetTrustedAuthors       ( const ::com::sun::star::uno::Sequence< Certificate >& rAuthors    );
+ 
+diff --git a/sc/source/filter/xml/xmlimprt.cxx b/sc/source/filter/xml/xmlimprt.cxx
+index e1b73fe..c5f1ef5 100644
+--- a/sc/source/filter/xml/xmlimprt.cxx
++++ b/sc/source/filter/xml/xmlimprt.cxx
+@@ -2628,6 +2628,9 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+             OUString sCTName("TrackedChangesProtectionKey");
+             OUString sVBName("VBACompatibilityMode");
+             OUString sSCName("ScriptConfiguration");
++            css::uno::Sequence<css::beans::PropertyValue> aFilteredProps(
++                aConfigProps.getLength());
++            sal_Int32 nFilteredPropsLen = 0;
+             for (sal_Int32 i = nCount - 1; i >= 0; --i)
+             {
+                 if (aConfigProps[i].Name == sCTName)
+@@ -2662,11 +2665,16 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+                             xImportInfo->setPropertyValue( aConfigProps[i].Name, aConfigProps[i].Value );
+                     }
+                 }
++                if (aConfigProps[i].Name != "LinkUpdateMode")
++                {
++                    aFilteredProps[nFilteredPropsLen++] = aConfigProps[i];
++                }
+             }
++            aFilteredProps.realloc(nFilteredPropsLen);
+             uno::Reference <uno::XInterface> xInterface = xMultiServiceFactory->createInstance("com.sun.star.comp.SpreadsheetSettings");
+             uno::Reference <beans::XPropertySet> xProperties(xInterface, uno::UNO_QUERY);
+             if (xProperties.is())
+-                SvXMLUnitConverter::convertPropertySet(xProperties, aConfigProps);
++                SvXMLUnitConverter::convertPropertySet(xProperties, aFilteredProps);
+         }
+     }
+ }
+diff --git a/sc/source/ui/docshell/docsh4.cxx b/sc/source/ui/docshell/docsh4.cxx
+index dd9eaf8..9e4a27b 100644
+--- a/sc/source/ui/docshell/docsh4.cxx
++++ b/sc/source/ui/docshell/docsh4.cxx
+@@ -48,6 +48,7 @@ using namespace ::com::sun::star;
+ #include <svl/PasswordHelper.hxx>
+ #include <svl/documentlockfile.hxx>
+ #include <svl/sharecontrolfile.hxx>
++#include <unotools/securityoptions.hxx>
+ 
+ #include <comphelper/processfactory.hxx>
+ #include "docuno.hxx"
+@@ -423,12 +424,23 @@ void ScDocShell::Execute( SfxRequest& rReq )
+ 
+                 if (nCanUpdate == com::sun::star::document::UpdateDocMode::NO_UPDATE)
+                     nSet = LM_NEVER;
+-                else if (nCanUpdate == com::sun::star::document::UpdateDocMode::QUIET_UPDATE &&
+-                    nSet == LM_ON_DEMAND)
+-                    nSet = LM_NEVER;
+                 else if (nCanUpdate == com::sun::star::document::UpdateDocMode::FULL_UPDATE)
+                     nSet = LM_ALWAYS;
+ 
++                if (nSet == LM_ALWAYS
++                    && !(SvtSecurityOptions()
++                         .isTrustedLocationUriForUpdatingLinks(
++                             GetMedium() == nullptr
++                             ? OUString() : GetMedium()->GetName())))
++                {
++                    nSet = LM_ON_DEMAND;
++                }
++                if (nCanUpdate == css::document::UpdateDocMode::QUIET_UPDATE
++                    && nSet == LM_ON_DEMAND)
++                {
++                    nSet = LM_NEVER;
++                }
++
+                 if(nSet==LM_ON_DEMAND)
+                 {
+                     QueryBox aBox( GetActiveDialogParent(), WinBits(WB_YES_NO | WB_DEF_YES),
+diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx
+index d42dd9f..6f0e94e 100644
+--- a/sw/source/core/doc/docnew.cxx
++++ b/sw/source/core/doc/docnew.cxx
+@@ -103,6 +103,8 @@
+ #include <fmtmeta.hxx>
+ #include <boost/foreach.hpp>
+ 
++#include <unotools/securityoptions.hxx>
++
+ using namespace ::com::sun::star;
+ using namespace ::com::sun::star::document;
+ 
+@@ -889,6 +889,15 @@ void SwDoc::UpdateLinks( bool bUI )
+                 case document::UpdateDocMode::QUIET_UPDATE:bAskUpdate = false; break;
+                 case document::UpdateDocMode::FULL_UPDATE: bAskUpdate = true; break;
+             }
++            if (nLinkMode == AUTOMATIC && !bAskUpdate)
++            {
++                SfxMedium * medium = GetDocShell()->GetMedium();
++                if (!SvtSecurityOptions().isTrustedLocationUriForUpdatingLinks(
++                        medium == nullptr ? OUString() : medium->GetName()))
++                {
++                    bAskUpdate = true;
++                }
++            }
+             if( bUpdate && (bUI || !bAskUpdate) )
+             {
+                 SfxMedium* pMedium = GetDocShell()->GetMedium();
+diff --git a/sw/source/filter/xml/xmlimp.cxx b/sw/source/filter/xml/xmlimp.cxx
+index 3af249c..53301e7 100644
+--- a/sw/source/filter/xml/xmlimp.cxx
++++ b/sw/source/filter/xml/xmlimp.cxx
+@@ -1072,45 +1072,45 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+     if( !xInfo.is() )
+         return;
+ 
+-    boost::unordered_set< OUString, OUStringHash > aSet;
+-    aSet.insert("ForbiddenCharacters");
+-    aSet.insert("IsKernAsianPunctuation");
+-    aSet.insert("CharacterCompressionType");
+-    aSet.insert("LinkUpdateMode");
+-    aSet.insert("FieldAutoUpdate");
+-    aSet.insert("ChartAutoUpdate");
+-    aSet.insert("AddParaTableSpacing");
+-    aSet.insert("AddParaTableSpacingAtStart");
+-    aSet.insert("PrintAnnotationMode");
+-    aSet.insert("PrintBlackFonts");
+-    aSet.insert("PrintControls");
+-    aSet.insert("PrintDrawings");
+-    aSet.insert("PrintGraphics");
+-    aSet.insert("PrintLeftPages");
+-    aSet.insert("PrintPageBackground");
+-    aSet.insert("PrintProspect");
+-    aSet.insert("PrintReversed");
+-    aSet.insert("PrintRightPages");
+-    aSet.insert("PrintFaxName");
+-    aSet.insert("PrintPaperFromSetup");
+-    aSet.insert("PrintTables");
+-    aSet.insert("PrintSingleJobs");
+-    aSet.insert("UpdateFromTemplate");
+-    aSet.insert("PrinterIndependentLayout");
+-    aSet.insert("PrintEmptyPages");
+-    aSet.insert("SmallCapsPercentage66");
+-    aSet.insert("TabOverflow");
+-    aSet.insert("UnbreakableNumberings");
+-    aSet.insert("ClippedPictures");
+-    aSet.insert("BackgroundParaOverDrawings");
+-    aSet.insert("TabOverMargin");
++    boost::unordered_set< OUString, OUStringHash > aExcludeAlways;
++    aExcludeAlways.insert("LinkUpdateMode");
++    boost::unordered_set< OUString, OUStringHash > aExcludeWhenNotLoadingUserSettings;
++    aExcludeWhenNotLoadingUserSettings.insert("ForbiddenCharacters");
++    aExcludeWhenNotLoadingUserSettings.insert("IsKernAsianPunctuation");
++    aExcludeWhenNotLoadingUserSettings.insert("CharacterCompressionType");
++    aExcludeWhenNotLoadingUserSettings.insert("FieldAutoUpdate");
++    aExcludeWhenNotLoadingUserSettings.insert("ChartAutoUpdate");
++    aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacing");
++    aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacingAtStart");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintAnnotationMode");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintBlackFonts");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintControls");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintDrawings");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintGraphics");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintLeftPages");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintPageBackground");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintProspect");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintReversed");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintRightPages");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintFaxName");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintPaperFromSetup");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintTables");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintSingleJobs");
++    aExcludeWhenNotLoadingUserSettings.insert("UpdateFromTemplate");
++    aExcludeWhenNotLoadingUserSettings.insert("PrinterIndependentLayout");
++    aExcludeWhenNotLoadingUserSettings.insert("PrintEmptyPages");
++    aExcludeWhenNotLoadingUserSettings.insert("SmallCapsPercentage66");
++    aExcludeWhenNotLoadingUserSettings.insert("TabOverflow");
++    aExcludeWhenNotLoadingUserSettings.insert("UnbreakableNumberings");
++    aExcludeWhenNotLoadingUserSettings.insert("ClippedPictures");
++    aExcludeWhenNotLoadingUserSettings.insert("BackgroundParaOverDrawings");
++    aExcludeWhenNotLoadingUserSettings.insert("TabOverMargin");
+ 
+     sal_Int32 nCount = aConfigProps.getLength();
+     const PropertyValue* pValues = aConfigProps.getConstArray();
+ 
+     SvtSaveOptions aSaveOpt;
+-    bool bIsUserSetting = aSaveOpt.IsLoadUserSettings(),
+-         bSet = bIsUserSetting;
++    bool bIsUserSetting = aSaveOpt.IsLoadUserSettings();
+ 
+     // for some properties we don't want to use the application
+     // default if they're missing. So we watch for them in the loop
+@@ -1145,10 +1145,12 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+ 
+     while( nCount-- )
+     {
+-        if( !bIsUserSetting )
++        bool bSet = aExcludeAlways.find(pValues->Name) == aExcludeAlways.end();
++        if( bSet && !bIsUserSetting
++            && (aExcludeWhenNotLoadingUserSettings.find(pValues->Name)
++                != aExcludeWhenNotLoadingUserSettings.end()) )
+         {
+-            // test over the hash value if the entry is in the table.
+-            bSet = aSet.find(pValues->Name) == aSet.end();
++            bSet = false;
+         }
+ 
+         if( bSet )
+diff --git a/unotools/source/config/securityoptions.cxx b/unotools/source/config/securityoptions.cxx
+index 7906ed7..86055c5 100644
+--- a/unotools/source/config/securityoptions.cxx
++++ b/unotools/source/config/securityoptions.cxx
+@@ -1051,6 +1051,14 @@ bool SvtSecurityOptions::isTrustedLocationUri(OUString const & uri) const {
+     return false;
+ }
+ 
++bool SvtSecurityOptions::isTrustedLocationUriForUpdatingLinks(
++    OUString const & uri) const
++{
++    return GetMacroSecurityLevel() == 0 || uri.isEmpty()
++        || uri.startsWithIgnoreAsciiCase("private:")
++        || isTrustedLocationUri(uri);
++}
++
+ sal_Int32 SvtSecurityOptions::GetMacroSecurityLevel() const
+ {
+     MutexGuard aGuard( GetInitMutex() );
diff --git a/patches/coverity-1266485.diff b/patches/coverity-1266485.diff
new file mode 100644
index 0000000..df67123
--- /dev/null
+++ b/patches/coverity-1266485.diff
@@ -0,0 +1,95 @@
+From 9051d3b59cf6e5fd590506bb86bfb8929d3024c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 26 Jan 2015 11:26:41 +0000
+Subject: coverity#1266485 Untrusted value as argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
+(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
+
+min legal size here is > 4
+
+(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
+
+Change-Id: I9f68d000b32623db4d949d13284043630f5689f4
+(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
+Reviewed-on: https://gerrit.libreoffice.org/16984
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Björn Michaelsen <bjoern.michaelsen@canonical.com>
+Reviewed-by: Eike Rathke <erack@redhat.com>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+Tested-by: Michael Meeks <michael.meeks@collabora.com>
+
+diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
+index ec1f44f..c67255e 100644
+--- a/vcl/source/gdi/jobset.cxx
++++ b/vcl/source/gdi/jobset.cxx
+@@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+     DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
+ 
+     {
+-        sal_Size nFirstPos = rIStream.Tell();
+-
+         sal_uInt16 nLen = 0;
+         rIStream.ReadUInt16( nLen );
+-        if ( !nLen )
++        if (nLen <= 4)
+             return rIStream;
+ 
+         sal_uInt16 nSystem = 0;
+         rIStream.ReadUInt16( nSystem );
+-
+-        boost::scoped_array<char> pTempBuf(new char[nLen]);
+-        rIStream.Read( pTempBuf.get(),  nLen - sizeof( nLen ) - sizeof( nSystem ) );
+-        if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
++        const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
++        if (nRead > rIStream.remainingSize())
++        {
++            SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
++                     " max possible entries, but " << nRead << " claimed, truncating");
++            return rIStream;
++        }
++        sal_Size nFirstPos = rIStream.Tell();
++        boost::scoped_array<char> pTempBuf(new char[nRead]);
++        rIStream.Read(pTempBuf.get(),  nRead);
++        if (nRead >= sizeof(ImplOldJobSetupData))
+         {
+             ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
+             if ( rJobSetup.mpData )
+@@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+                  nSystem == JOBSET_FILE605_SYSTEM )
+             {
+                 Impl364JobSetupData* pOldJobData    = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
+-                sal_uInt16 nOldJobDataSize              = SVBT16ToShort( pOldJobData->nSize );
++                sal_uInt16 nOldJobDataSize          = SVBT16ToShort( pOldJobData->nSize );
+                 pJobData->mnSystem                  = SVBT16ToShort( pOldJobData->nSystem );
+                 pJobData->mnDriverDataLen           = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
+                 pJobData->meOrientation             = (Orientation)SVBT16ToShort( pOldJobData->nOrientation );
+@@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+                 }
+                 if( nSystem == JOBSET_FILE605_SYSTEM )
+                 {
+-                    rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+-                    while( rIStream.Tell() < nFirstPos + nLen )
++                    rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++                    while( rIStream.Tell() < nFirstPos + nRead )
+                     {
+                         OUString aKey = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
+                         OUString aValue = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8);
+@@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup )
+                         else
+                             pJobData->maValueMap[ aKey ] = aValue;
+                     }
+-                    DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
++                    DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
+                     // ensure correct stream position
+-                    rIStream.Seek( nFirstPos + nLen );
++                    rIStream.Seek(nFirstPos + nRead);
+                 }
+             }
+         }
+-- 
+cgit v0.10.2
+
diff --git a/patches/pStatus-vector-offsets.diff b/patches/pStatus-vector-offsets.diff
new file mode 100644
index 0000000..67346c3
--- /dev/null
+++ b/patches/pStatus-vector-offsets.diff
@@ -0,0 +1,85 @@
+From 92c3a5b80ac575e1c538894b7c1a4170093785b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 13 Aug 2015 10:58:06 +0100
+Subject: convert pStatus to vector and use at to check offsets
+
+(cherry picked from commit ea70088895ed45dc60abf18319acc1b4fa3018dd)
+
+Change-Id: I5186f6a65bb9d5ed8a0d1ab1d71f7e2c13865411
+Reviewed-on: https://gerrit.libreoffice.org/17695
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 93583c4..f243e4b 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -3972,7 +3972,7 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen
+ }
+ 
+ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+-    : WW8PLCFx(rFib.GetFIBVersion(), false), pStatus(0), nIsEnd(0), nBookmarkId(1)
++    : WW8PLCFx(rFib.GetFIBVersion(), false), nIsEnd(0), nBookmarkId(1)
+ {
+     if( !rFib.fcPlcfbkf || !rFib.lcbPlcfbkf || !rFib.fcPlcfbkl ||
+         !rFib.lcbPlcfbkl || !rFib.fcSttbfbkmk || !rFib.lcbSttbfbkmk )
+@@ -3997,14 +3997,12 @@ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+             nIMax = pBook[0]->GetIMax();
+         if( pBook[1]->GetIMax() < nIMax )
+             nIMax = pBook[1]->GetIMax();
+-        pStatus = new eBookStatus[ nIMax ];
+-        memset( pStatus, 0, nIMax * sizeof( eBookStatus ) );
++        aStatus.resize(nIMax);
+     }
+ }
+ 
+ WW8PLCFx_Book::~WW8PLCFx_Book()
+ {
+-    delete[] pStatus;
+     delete pBook[1];
+     delete pBook[0];
+ }
+@@ -4122,18 +4120,20 @@ long WW8PLCFx_Book::GetLen() const
+     return nNum;
+ }
+ 
+-void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat )
++void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat)
+ {
+-    OSL_ENSURE(nIndex < nIMax, "set status of non existing bookmark!");
+-    pStatus[nIndex] = (eBookStatus)( pStatus[nIndex] | eStat );
++    SAL_WARN_IF(nIndex >= nIMax, "sw.ww8",
++                "bookmark index " << nIndex << " invalid");
++    eBookStatus eStatus = aStatus.at(nIndex);
++    aStatus[nIndex] = static_cast<eBookStatus>(eStatus | eStat);
+ }
+ 
+ eBookStatus WW8PLCFx_Book::GetStatus() const
+ {
+-    if( !pStatus )
++    if (aStatus.empty())
+         return BOOK_NORMAL;
+     long nEndIdx = GetHandle();
+-    return ( nEndIdx < nIMax ) ? pStatus[nEndIdx] : BOOK_NORMAL;
++    return ( nEndIdx < nIMax ) ? aStatus[nEndIdx] : BOOK_NORMAL;
+ }
+ 
+ long WW8PLCFx_Book::GetHandle() const
+diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
+index ed4d496..747fdff 100644
+--- a/sw/source/filter/ww8/ww8scan.hxx
++++ b/sw/source/filter/ww8/ww8scan.hxx
+@@ -734,8 +734,8 @@ class WW8PLCFx_Book : public WW8PLCFx
+ {
+ private:
+     WW8PLCFspecial* pBook[2];           // Start and End Position
+-    ::std::vector<OUString> aBookNames;   // Name
+-    eBookStatus* pStatus;
++    std::vector<OUString> aBookNames;   // Name
++    std::vector<eBookStatus> aStatus;
+     long nIMax;                         // Number of Booknotes
+     sal_uInt16 nIsEnd;
+     sal_Int32 nBookmarkId; // counter incremented by GetUniqueBookmarkName.
+-- 
+cgit v0.10.2
+
diff --git a/patches/series b/patches/series
index 4ba158a..daad6bc 100644
--- a/patches/series
+++ b/patches/series
@@ -37,3 +37,7 @@ lt-LT-euro-translations.diff
 euro-wizard-ods-not-sxc.diff
 backport-rtf-fixes.diff
 hwpreader-check-reads.diff
+CVE-2015-4551.diff
+ww8dontwrap.diff
+coverity-1266485.diff
+pStatus-vector-offsets.diff
diff --git a/patches/ww8dontwrap.diff b/patches/ww8dontwrap.diff
new file mode 100644
index 0000000..bb542b7
--- /dev/null
+++ b/patches/ww8dontwrap.diff
@@ -0,0 +1,35 @@
+From fae8b7dfeb081c050867fb891d9acf0fdd2a6d36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Jul 2015 10:31:30 +0100
+Subject: ww8: make sure we don't wrap around
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
+(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
+Reviewed-on: https://gerrit.libreoffice.org/16982
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
+Tested-by: Michael Meeks <michael.meeks@collabora.com>
+Reviewed-by: Björn Michaelsen <bjoern.michaelsen@canonical.com>
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 449bef4..8c3d979 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1540,7 +1540,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
+         if( 2 == clxt )                         // PLCFfpcd ?
+             break;                              // PLCFfpcd gefunden
+         if( 1 == clxt )                         // clxtGrpprl ?
++        {
++            if (nGrpprl == SHRT_MAX)
++                return NULL;
+             nGrpprl++;
++        }
+         sal_uInt16 nLen(0);
+         pStr->ReadUInt16( nLen );
+         nLeft -= 2 + nLen;
+-- 
+cgit v0.10.2
+

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git


Reply to: