[libreoffice] 01/03: various lwp fixes
Rene Engelhard
rene at moszumanska.debian.org
Thu Jul 27 19:17:20 UTC 2017
This is an automated email from the git hooks/post-receive script.
rene pushed a commit to tag libreoffice_4.2.8_0ubuntu5
in repository libreoffice.
commit 9479bb808a4af33cf473d7ad877d3654114d51a0
Author: Bjoern Michaelsen <bjoern.michaelsen at canonical.com>
Date: Tue Feb 9 16:38:48 2016 +0100
various lwp fixes
---
changelog | 6 ++++++
patches/lwpfix1.diff | 30 ++++++++++++++++++++++++++++++
patches/lwpfix2.diff | 45 +++++++++++++++++++++++++++++++++++++++++++++
patches/lwpfix3.diff | 42 ++++++++++++++++++++++++++++++++++++++++++
patches/lwpfix4.diff | 41 +++++++++++++++++++++++++++++++++++++++++
patches/lwpfix5.diff | 42 ++++++++++++++++++++++++++++++++++++++++++
patches/series | 5 +++++
7 files changed, 211 insertions(+)
diff --git a/changelog b/changelog
index a3bd098..9b339a9 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+libreoffice (1:4.2.8-0ubuntu4~wily1) trusty; urgency=medium
+
+ * various lwp fixes
+
+ -- Bjoern Michaelsen <bjoern.michaelsen at canonical.com> Tue, 09 Feb 2016 16:34:59 +0100
+
libreoffice (1:4.2.8-0ubuntu3) trusty-security; urgency=medium
* Rebuild as security update
diff --git a/patches/lwpfix1.diff b/patches/lwpfix1.diff
new file mode 100644
index 0000000..b4d829b
--- /dev/null
+++ b/patches/lwpfix1.diff
@@ -0,0 +1,30 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Tue, 8 Dec 2015 14:20:52 +0000
+Subject: [PATCH] guard against corrupt m_nNumTabs
+
+Change-Id: I41b8514a127d463ac951e5855f09416fa0456b1b
+---
+ lotuswordpro/source/filter/lwptabrack.cxx | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -87,11 +87,12 @@ LwpTabRack::LwpTabRack(LwpObjectHeader objHdr, LwpSvStream* pStrm):LwpObject(obj
+
+ void LwpTabRack::Read()
+ {
+-// LwpObjectID m_NextID;
+ m_NextID.ReadIndexed(m_pObjStrm);
+
+ m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+- for( int i=0; i<m_nNumTabs; i++ )
++ if (m_nNumTabs > MaxTabs)
++ throw std::out_of_range("corrupt LwpTabRack");
++ for (int i=0; i<m_nNumTabs; ++i)
+ {
+ m_aTabs[i].Read(m_pObjStrm);
+ m_pObjStrm->SkipExtra();
+--
+2.5.0
+
diff --git a/patches/lwpfix2.diff b/patches/lwpfix2.diff
new file mode 100644
index 0000000..e5a788a
--- /dev/null
+++ b/patches/lwpfix2.diff
@@ -0,0 +1,45 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 9 Dec 2015 11:28:52 +0000
+Subject: [PATCH] guard against corrupt RootData
+
+(cherry picked from commit fc943ea85a7924ce0552b08eef99ed8e02f0b965)
+Reviewed-on: https://gerrit.libreoffice.org/20496
+Reviewed-by: David Tardon <dtardon at redhat.com>
+Tested-by: David Tardon <dtardon at redhat.com>
+
+Change-Id: Iad2788a7e5e7ee3b3107eab37cde2d3d38eae005
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx | 5 ++++-
+ lotuswordpro/source/filter/lwptabrack.cxx | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -155,7 +155,10 @@ void LwpIndexManager::ReadRootData(LwpObjectStream* pObjStrm)
+ sal_uInt16 KeyCount = pObjStrm->QuickReaduInt16();
+ m_nLeafCount = KeyCount ? KeyCount + 1 : 0;
+
+- if(KeyCount)
++ if (m_nLeafCount > SAL_N_ELEMENTS(m_ChildIndex))
++ throw std::range_error("corrupt RootData");
++
++ if (KeyCount)
+ {
+ //read object keys
+ LwpKey* akey = new LwpKey();
+diff --git a/lotuswordpro/source/filter/lwptabrack.cxx b/lotuswordpro/source/filter/lwptabrack.cxx
+--- a/lotuswordpro/source/filter/lwptabrack.cxx
++++ b/lotuswordpro/source/filter/lwptabrack.cxx
+@@ -91,7 +91,7 @@ void LwpTabRack::Read()
+
+ m_nNumTabs = m_pObjStrm->QuickReaduInt16();
+ if (m_nNumTabs > MaxTabs)
+- throw std::out_of_range("corrupt LwpTabRack");
++ throw std::range_error("corrupt LwpTabRack");
+ for (int i=0; i<m_nNumTabs; ++i)
+ {
+ m_aTabs[i].Read(m_pObjStrm);
+--
+2.5.0
+
diff --git a/patches/lwpfix3.diff b/patches/lwpfix3.diff
new file mode 100644
index 0000000..a36b3b9
--- /dev/null
+++ b/patches/lwpfix3.diff
@@ -0,0 +1,42 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 9 Dec 2015 11:56:52 +0000
+Subject: [PATCH] guard against corrupt ObjIndexData
+
+(cherry picked from commit c88a23b9d44118e96de41a70ab7f87eb0aafb126)
+Reviewed-on: https://gerrit.libreoffice.org/20502
+Reviewed-by: David Tardon <dtardon at redhat.com>
+Tested-by: David Tardon <dtardon at redhat.com>
+
+Change-Id: I214991e5d34c8e335cdd8ea482f8fa4913ba637b
+---
+ lotuswordpro/source/filter/lwpidxmgr.cxx | 2 +-
+ lotuswordpro/source/filter/lwpobjstrm.cxx | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwpidxmgr.cxx b/lotuswordpro/source/filter/lwpidxmgr.cxx
+--- a/lotuswordpro/source/filter/lwpidxmgr.cxx
++++ b/lotuswordpro/source/filter/lwpidxmgr.cxx
+@@ -218,7 +218,7 @@ void LwpIndexManager::ReadObjIndexData(LwpObjectStream* pObjStrm)
+ vObjIndexs[k]->offset = pObjStrm->QuickReaduInt32();
+
+ for (k = 0; k < LeafCount; k++)
+- m_TempVec[k] = pObjStrm->QuickReaduInt32();
++ m_TempVec.at(k) = pObjStrm->QuickReaduInt32();
+ }
+
+ for( sal_uInt16 j=0; j<LeafCount; j++ )
+diff --git a/lotuswordpro/source/filter/lwpobjstrm.cxx b/lotuswordpro/source/filter/lwpobjstrm.cxx
+--- a/lotuswordpro/source/filter/lwpobjstrm.cxx
++++ b/lotuswordpro/source/filter/lwpobjstrm.cxx
+@@ -170,7 +170,7 @@ sal_uInt16 LwpObjectStream::QuickRead(void* buf, sal_uInt16 len)
+ memset(buf, 0, len);
+ if( len > m_nBufSize - m_nReadPos )
+ {
+- assert(false);
++ SAL_WARN("lwp", "read request longer than buffer");
+ len = m_nBufSize - m_nReadPos;
+ }
+ if( m_pContentBuf && len)
+--
+2.5.0
+
diff --git a/patches/lwpfix4.diff b/patches/lwpfix4.diff
new file mode 100644
index 0000000..599c89b
--- /dev/null
+++ b/patches/lwpfix4.diff
@@ -0,0 +1,41 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 9 Dec 2015 12:09:37 +0000
+Subject: [PATCH] guard against corrupt SilverBullet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 36d55980b1b3498fecc460d3c46667e5f5a17b8e)
+Reviewed-on: https://gerrit.libreoffice.org/20504
+Reviewed-by: Caolán McNamara <caolanm at redhat.com>
+Tested-by: Caolán McNamara <caolanm at redhat.com>
+(cherry picked from commit d387a99fce3f96f4fcd60c70909292255f12840f)
+
+Change-Id: I3af47ab3af5e28a865a77a592f6a92edb46e4f2b
+Reviewed-on: https://gerrit.libreoffice.org/20506
+Reviewed-by: David Tardon <dtardon at redhat.com>
+Tested-by: David Tardon <dtardon at redhat.com>
+Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
+Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
+---
+ lotuswordpro/source/filter/lwpsilverbullet.cxx | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lotuswordpro/source/filter/lwpsilverbullet.cxx b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+--- a/lotuswordpro/source/filter/lwpsilverbullet.cxx
++++ b/lotuswordpro/source/filter/lwpsilverbullet.cxx
+@@ -93,7 +93,10 @@ void LwpSilverBullet::Read()
+
+ sal_uInt16 nNumPos = m_pObjStrm->QuickReaduInt16();
+
+- for (sal_uInt8 nC = 0; nC < nNumPos; nC++)
++ if (nNumPos > SAL_N_ELEMENTS(m_pResetPositionFlags))
++ throw std::range_error("corrupt SilverBullet");
++
++ for (sal_uInt16 nC = 0; nC < nNumPos; nC++)
+ m_pResetPositionFlags[nC] = m_pObjStrm->QuickReaduInt8();
+
+ m_nUseCount = m_pObjStrm->QuickReaduInt32();
+--
+2.5.0
+
diff --git a/patches/lwpfix5.diff b/patches/lwpfix5.diff
new file mode 100644
index 0000000..a7036db
--- /dev/null
+++ b/patches/lwpfix5.diff
@@ -0,0 +1,42 @@
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Thu, 10 Dec 2015 12:59:21 +0000
+Subject: [PATCH] guard against corrupt LwpTocSuperLayout
+
+Change-Id: I18648e74d16b932cfa6fbd2057d1e9987c498fd4
+---
+ lotuswordpro/source/filter/lwptoc.cxx | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lotuswordpro/source/filter/lwptoc.cxx b/lotuswordpro/source/filter/lwptoc.cxx
+--- a/lotuswordpro/source/filter/lwptoc.cxx
++++ b/lotuswordpro/source/filter/lwptoc.cxx
+@@ -101,17 +101,22 @@ void LwpTocSuperLayout::Read()
+
+ m_SearchItems.Read(m_pObjStrm);
+
+- sal_uInt16 i;
+ sal_uInt16 count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_DestName[i].Read(m_pObjStrm);
+
+ count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; (i < MAX_LEVELS) && (count > 0); i++, count--)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_DestPGName[i].Read(m_pObjStrm);
+
+ count = m_pObjStrm->QuickReaduInt16();
+- for (i = 0; i < count; i++)
++ if (count > MAX_LEVELS)
++ throw std::range_error("corrupt LwpTocSuperLayout");
++ for (sal_uInt16 i = 0; i < count; ++i)
+ m_nFlags[i] = m_pObjStrm->QuickReaduInt32();
+
+ m_pObjStrm->SkipExtra();
+--
+2.5.0
+
diff --git a/patches/series b/patches/series
index c87d8d9..f959558 100644
--- a/patches/series
+++ b/patches/series
@@ -40,3 +40,8 @@ LinkUpdateMode-is-a-global-setting.diff
ww8dontwrap.diff
coverity-1266485.diff
pstatus-vector.diff
+lwpfix1.diff
+lwpfix2.diff
+lwpfix3.diff
+lwpfix4.diff
+lwpfix5.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
More information about the Pkg-openoffice-commits
mailing list