[libreoffice] 02/02: add fixes for ww8 wrapping and coverity#1266485
This is an automated email from the git hooks/post-receive script.
sweetshark-guest pushed a commit to branch ubuntu-precise-3.5
in repository libreoffice.
commit 8406617fee8634d9e51c1da3a31519d36bfa46d4
Author: Bjoern Michaelsen <bjoern.michaelsen@canonical.com>
Date: Mon Jul 13 17:53:51 2015 +0200
add fixes for ww8 wrapping and coverity#1266485
---
changelog | 6 +++
patches/coverity-1266485.diff | 115 ++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
patches/ww8dontwrap.diff | 35 +++++++++++++
4 files changed, 158 insertions(+)
diff --git a/changelog b/changelog
index a7ac452..d756d1e 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+libreoffice (1:3.5.7-0ubuntu9~precise3) precise; urgency=medium
+
+ * add fixes for ww8 wrapping and coverity#1266485
+
+ -- Bjoern Michaelsen <bjoern.michaelsen@canonical.com> Mon, 13 Jul 2015 17:52:44 +0200
+
libreoffice (1:3.5.7-0ubuntu9~precise2) precise; urgency=medium
* add fix for link updates
diff --git a/patches/coverity-1266485.diff b/patches/coverity-1266485.diff
new file mode 100644
index 0000000..92aed93
--- /dev/null
+++ b/patches/coverity-1266485.diff
@@ -0,0 +1,115 @@
+From 0a1f215c8ebe76ff88f8a8e46a4956f45e96a9cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 26 Jan 2015 11:26:41 +0000
+Subject: [PATCH] coverity#1266485 Untrusted value as argument
+
+(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
+
+min legal size here is > 4
+
+(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
+
+(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
+Reviewed-on: https://gerrit.libreoffice.org/16983
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Conflicts:
+ vcl/source/gdi/jobset.cxx
+
+9f68d000b32623db4d949d13284043630f5689f4
+
+Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
+DebianPatchName: coverity-1266485.diff
+---
+ vcl/source/gdi/jobset.cxx | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
+index 14b86b2..ed27fb4 100644
+--- a/vcl/source/gdi/jobset.cxx
++++ b/vcl/source/gdi/jobset.cxx
+@@ -31,6 +31,7 @@
+ #include <tools/stream.hxx>
+ #include <rtl/alloc.h>
+ #include <vcl/jobset.hxx>
++#include <boost/scoped_array.hpp>
+
+ #include <jobset.h>
+
+@@ -277,21 +278,26 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
+
+ {
+- sal_Size nFirstPos = rIStream.Tell();
+-
+ sal_uInt16 nLen = 0;
+ rIStream >> nLen;
+- if ( !nLen )
++ if (nLen <= 4)
+ return rIStream;
+
+ sal_uInt16 nSystem = 0;
+ rIStream >> nSystem;
+-
+- char* pTempBuf = new char[nLen];
+- rIStream.Read( pTempBuf, nLen - sizeof( nLen ) - sizeof( nSystem ) );
+- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
++ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
++ if (nRead > rIStream.remainingSize())
++ {
++ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
++ " max possible entries, but " << nRead << " claimed, truncating");
++ return rIStream;
++ }
++ sal_Size nFirstPos = rIStream.Tell();
++ boost::scoped_array<char> pTempBuf(new char[nRead]);
++ rIStream.Read(pTempBuf.get(), nRead);
++ if (nRead >= sizeof(ImplOldJobSetupData))
+ {
+- ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf;
++ ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
+ if ( rJobSetup.mpData )
+ {
+ if ( rJobSetup.mpData->mnRefCount == 1 )
+@@ -313,7 +319,7 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ if ( nSystem == JOBSET_FILE364_SYSTEM ||
+ nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf + sizeof( ImplOldJobSetupData ));
++ Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
+ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
+ pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem );
+ pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
+@@ -331,8 +337,10 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ }
+ if( nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+- while( rIStream.Tell() < nFirstPos + nLen )
++// rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++// while( rIStream.Tell() < nFirstPos + nLen )
++ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++ while( rIStream.Tell() < nFirstPos + nRead )
+ {
+ String aKey, aValue;
+ rIStream.ReadByteString( aKey, RTL_TEXTENCODING_UTF8 );
+@@ -351,13 +359,12 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ else
+ pJobData->maValueMap[ aKey ] = aValue;
+ }
+- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
++ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
+ // ensure correct stream position
+- rIStream.Seek( nFirstPos + nLen );
++ rIStream.Seek( nFirstPos + nRead );
+ }
+ }
+ }
+- delete[] pTempBuf;
+ }
+
+ return rIStream;
+--
+1.9.1
+
diff --git a/patches/series b/patches/series
index 911966d..a31883b 100644
--- a/patches/series
+++ b/patches/series
@@ -65,3 +65,5 @@ i125386.diff
check-if-reads-were-successful.diff
tdf-86449.diff
LinkUpdateMode-is-a-global-setting.diff
+ww8dontwrap.diff
+coverity-1266485.diff
diff --git a/patches/ww8dontwrap.diff b/patches/ww8dontwrap.diff
new file mode 100644
index 0000000..cb3b0ac
--- /dev/null
+++ b/patches/ww8dontwrap.diff
@@ -0,0 +1,35 @@
+From d0e1f7de2313d2fc6d50ace007d81c654fd27c43 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Jul 2015 10:31:30 +0100
+Subject: [PATCH] ww8: make sure we don't wrap around
+
+(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
+Reviewed-on: https://gerrit.libreoffice.org/16981
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
+DebianPatchName: ww8dontwrap.diff
+---
+ sw/source/filter/ww8/ww8scan.cxx | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index b149478..06993b4 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1538,7 +1538,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
+ if( 2 == clxt ) // PLCFfpcd ?
+ break; // PLCFfpcd gefunden
+ if( 1 == clxt ) // clxtGrpprl ?
++ {
++ if (nGrpprl == SHRT_MAX)
++ return NULL;
+ nGrpprl++;
++ }
+ sal_uInt16 nLen(0);
+ *pStr >> nLen;
+ nLeft -= 2 + nLen;
+--
+1.9.1
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: