rpms/openoffice.org/F-7 workspace.sjfixes03.patch, NONE, 1.1 openoffice.org.spec, 1.1207, 1.1208
Caolan McNamara (caolanm)
fedora-extras-commits at redhat.com
Thu Apr 17 07:17:55 UTC 2008
Author: caolanm
Update of /cvs/pkgs/rpms/openoffice.org/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29155
Modified Files:
openoffice.org.spec
Added Files:
workspace.sjfixes03.patch
Log Message:
workspace.sjfixes03.patch
workspace.sjfixes03.patch:
--- NEW FILE workspace.sjfixes03.patch ---
Index: source/filter.vcl/wmf/enhwmf.cxx
===================================================================
RCS file: /cvs/util/svtools/source/filter.vcl/wmf/enhwmf.cxx,v
retrieving revision 1.35
retrieving revision 1.35.100.1
diff -u -r1.35 -r1.35.100.1
--- openoffice.org.orig/svtools/source/filter.vcl/wmf/enhwmf.cxx 3 Aug 2007 11:50:55 -0000 1.35
+++ openoffice.org/svtools/source/filter.vcl/wmf/enhwmf.cxx 22 Nov 2007 15:36:50 -0000 1.35.100.1
@@ -834,11 +834,12 @@
cxDest = abs( (int)cxDest ); // sj: i37894, size can be negative
cyDest = abs( (int)cyDest ); // and also 122889
- if ( offBmiSrc )
+ if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) )
+ bStatus = FALSE;
+ else
{
- UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
- char* pBuf = new char[ nSize ];
-
+ UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
+ char* pBuf = new char[ nSize ];
SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
aTmp.ObjectOwnsMemory( TRUE );
aTmp << (BYTE)'B'
@@ -854,17 +855,17 @@
aTmp.Seek( 0 );
aBitmap.Read( aTmp, TRUE );
- // test if it is sensible to crop
- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
- {
- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
- aBitmap.Crop( aCropRect );
- }
+ // test if it is sensible to crop
+ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ {
+ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+ aBitmap.Crop( aCropRect );
+ }
+ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
}
break;
@@ -884,34 +885,38 @@
cxDest = abs( (int)cxDest ); // sj: i37894, size can be negative
cyDest = abs( (int)cyDest ); // and also 122889
- UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
- char* pBuf = new char[ nSize ];
- SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
- aTmp.ObjectOwnsMemory( TRUE );
- aTmp << (BYTE)'B'
- << (BYTE)'M'
- << (UINT32)cbBitsSrc
- << (UINT16)0
- << (UINT16)0
- << (UINT32)cbBmiSrc + 14;
- pWMF->Seek( nStart + offBmiSrc );
- pWMF->Read( pBuf + 14, cbBmiSrc );
- pWMF->Seek( nStart + offBitsSrc );
- pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
- aTmp.Seek( 0 );
- aBitmap.Read( aTmp, TRUE );
-
- // test if it is sensible to crop
- if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
- ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
- ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
- ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
- {
- Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
- aBitmap.Crop( aCropRect );
- }
+ if ( (cbBitsSrc > (SAL_MAX_UINT32 - 14)) || ((SAL_MAX_UINT32 - 14) - cbBitsSrc < cbBmiSrc) )
+ bStatus = FALSE;
+ else
+ {
+ UINT32 nSize = cbBmiSrc + cbBitsSrc + 14;
+ char* pBuf = new char[ nSize ];
+ SvMemoryStream aTmp( pBuf, nSize, STREAM_READ | STREAM_WRITE );
+ aTmp.ObjectOwnsMemory( TRUE );
+ aTmp << (BYTE)'B'
+ << (BYTE)'M'
+ << (UINT32)cbBitsSrc
+ << (UINT16)0
+ << (UINT16)0
+ << (UINT32)cbBmiSrc + 14;
+ pWMF->Seek( nStart + offBmiSrc );
+ pWMF->Read( pBuf + 14, cbBmiSrc );
+ pWMF->Seek( nStart + offBitsSrc );
+ pWMF->Read( pBuf + 14 + cbBmiSrc, cbBitsSrc );
+ aTmp.Seek( 0 );
+ aBitmap.Read( aTmp, TRUE );
- aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ // test if it is sensible to crop
+ if ( ( cxSrc > 0 ) && ( cySrc > 0 ) &&
+ ( xSrc >= 0 ) && ( ySrc >= 0 ) &&
+ ( xSrc + cxSrc <= aBitmap.GetSizePixel().Width() ) &&
+ ( ySrc + cySrc <= aBitmap.GetSizePixel().Height() ) )
+ {
+ Rectangle aCropRect( Point( xSrc, ySrc ), Size( cxSrc, cySrc ) );
+ aBitmap.Crop( aCropRect );
+ }
+ aBmpSaveList.Insert( new BSaveStruct( aBitmap, aRect, dwRop ), LIST_APPEND );
+ }
}
break;
Index: source/filter/inc/qprostyle.hxx
===================================================================
RCS file: /cvs/sc/sc/source/filter/inc/qprostyle.hxx,v
retrieving revision 1.3
retrieving revision 1.3.224.1
diff -u -r1.3 -r1.3.224.1
--- openoffice.org.orig/sc/source/filter/inc/qprostyle.hxx 27 Feb 2007 12:35:22 -0000 1.3
+++ openoffice.org/sc/source/filter/inc/qprostyle.hxx 22 Nov 2007 11:00:25 -0000 1.3.224.1
@@ -52,25 +52,29 @@
class ScQProStyle
{
- sal_uInt8 maAlign[ 256 ];
- sal_uInt8 maFont[ 256 ];
- sal_uInt16 maFontRecord[ 256 ];
- sal_uInt16 maFontHeight[ 256 ];
- String maFontType[ 256 ];
- sal_uInt16 maFontLimit, maAlignLimit;
+ enum limits { maxsize = 256 };
+ sal_uInt8 maAlign[ maxsize ];
+ sal_uInt8 maFont[ maxsize ];
+ sal_uInt16 maFontRecord[ maxsize ];
+ sal_uInt16 maFontHeight[ maxsize ];
+ String maFontType[ maxsize ];
public:
ScQProStyle();
void SetFormat( ScDocument *pDoc, sal_uInt8 nCol, sal_uInt16 nRow, SCTAB nTab, sal_uInt16 nStyle );
- void setFontRecord( sal_uInt16 nIndex, sal_uInt16 nData, sal_uInt16 nPtSize )
+ void setFontRecord(sal_uInt16 nIndex, sal_uInt16 nData, sal_uInt16 nPtSize)
{
- maFontRecord[ nIndex ] = nData;
- maFontHeight[ nIndex ] = nPtSize;
+ if (nIndex < maxsize)
+ {
+ maFontRecord[ nIndex ] = nData;
+ maFontHeight[ nIndex ] = nPtSize;
+ }
}
- void setFontType( sal_uInt16 nIndex, String &aLabel ){ maFontType[ nIndex ] = aLabel; }
- void setAlign( sal_uInt16 nIndex, sal_uInt8 nData ) { maAlign[ nIndex ] = nData; }
- void setFont( sal_uInt16 nIndex, sal_uInt8 nData ) { maFont[ nIndex ] = nData; }
- void setFontLimit( sal_uInt16 nValue ) { maFontLimit = nValue; }
- void setAlignLimit( sal_uInt16 nValue ) { maAlignLimit = nValue; }
+ void setFontType( sal_uInt16 nIndex, String &aLabel )
+ { if (nIndex < maxsize) maFontType[ nIndex ] = aLabel; }
+ void setAlign( sal_uInt16 nIndex, sal_uInt8 nData )
+ { if (nIndex < maxsize) maAlign[ nIndex ] = nData; }
+ void setFont( sal_uInt16 nIndex, sal_uInt8 nData )
+ { if (nIndex < maxsize) maFont[ nIndex ] = nData; }
};
#endif
Index: source/filter/qpro/qpro.cxx
===================================================================
RCS file: /cvs/sc/sc/source/filter/qpro/qpro.cxx,v
retrieving revision 1.4
retrieving revision 1.4.224.1
diff -u -r1.4 -r1.4.224.1
--- openoffice.org.orig/sc/source/filter/qpro/qpro.cxx 27 Feb 2007 12:40:29 -0000 1.4
+++ openoffice.org/sc/source/filter/qpro/qpro.cxx 22 Nov 2007 11:00:25 -0000 1.4.224.1
@@ -56,6 +56,7 @@
FltError ScQProReader::readSheet( SCTAB nTab, ScDocument* pDoc, ScQProStyle *pStyle )
{
+ FltError eRet = eERR_OK;
sal_uInt8 nCol, nDummy;
sal_uInt16 nRow;
sal_uInt16 nStyle;
@@ -65,7 +66,7 @@
fprintf( stderr, "Read sheet (%d)\n", nTab );
#endif
- while( !bEndOfSheet && nextRecord() )
+ while( eERR_OK == eRet && !bEndOfSheet && nextRecord() )
{
switch( getId() )
{
@@ -116,17 +117,21 @@
ScAddress aAddr( nCol, nRow, nTab );
const ScTokenArray *pArray;
QProToSc aConv( *mpStream, aAddr );
- aConv.Convert( pArray, nLen );
- ScFormulaCell *pFormula = new ScFormulaCell( pDoc, aAddr, pArray );
- nStyle = nStyle >> 3;
- pFormula->AddRecalcMode( RECALCMODE_ONLOAD_ONCE );
- pStyle->SetFormat( pDoc, nCol, nRow, nTab, nStyle );
- pDoc->PutCell( nCol, nRow, nTab, pFormula, ( BOOL ) TRUE );
+ if (ConvOK != aConv.Convert( pArray, nLen ))
+ eRet = eERR_FORMAT;
+ else
+ {
+ ScFormulaCell *pFormula = new ScFormulaCell( pDoc, aAddr, pArray );
+ nStyle = nStyle >> 3;
+ pFormula->AddRecalcMode( RECALCMODE_ONLOAD_ONCE );
+ pStyle->SetFormat( pDoc, nCol, nRow, nTab, nStyle );
+ pDoc->PutCell( nCol, nRow, nTab, pFormula, ( BOOL ) TRUE );
+ }
}
break;
}
}
- return eERR_OK;
+ return eRet;
}
FltError ScImportQuattroPro( SfxMedium &rMedium, ScDocument *pDoc )
Index: source/filter/qpro/qproform.cxx
===================================================================
RCS file: /cvs/sc/sc/source/filter/qpro/qproform.cxx,v
retrieving revision 1.6
retrieving revision 1.6.130.1
diff -u -r1.6 -r1.6.130.1
--- openoffice.org.orig/sc/source/filter/qpro/qproform.cxx 6 Jul 2007 12:39:23 -0000 1.6
+++ openoffice.org/sc/source/filter/qpro/qproform.cxx 22 Nov 2007 11:00:25 -0000 1.6.130.1
@@ -212,6 +212,13 @@
rParam = aPool.Store();
}
+#define SAFEDEC_OR_RET(nRef, amt, ret) \
+do { \
+ if (nRef < amt)\
+ return ret; \
+ nRef-=amt; \
+} while(0)
+
ConvErr QProToSc::Convert( const ScTokenArray*& pArray, sal_uInt16 /*nLen*/, const FORMULA_TYPE /*eFT*/ )
{
sal_uInt8 nFmla[ nBufSize ], i, nArg, nArgArray[ nBufSize ];
@@ -242,7 +249,7 @@
{
maIn >> nInt;
nIntArray[ nIntCount ] = nInt;
- nRef-=2;
+ SAFEDEC_OR_RET(nRef, 2, ConvErrCount);
nIntCount++;
}
@@ -250,7 +257,7 @@
{
maIn >> nFloat;
nFloatArray[ nFloatCount ] = nFloat;
- nRef-=8;
+ SAFEDEC_OR_RET(nRef, 8, ConvErrCount);
nFloatCount++;
}
@@ -259,7 +266,7 @@
maIn >> nArg >> nDummy >> nDLLId;
nArgArray[ nArgCount ] = nArg;
nDLLArray[ nDLLCount ] = nDLLId;
- nRef-=5;
+ SAFEDEC_OR_RET(nRef, 5, ConvErrCount);
nDLLCount++;
nArgCount++;
}
@@ -268,7 +275,7 @@
String aTmp( ScfTools::ReadCString( maIn ), maIn.GetStreamCharSet() );
sStringArray[ nStringCount ] = aTmp;
nStringCount++;
- nRef-=aTmp.Len() + 1;
+ SAFEDEC_OR_RET(nRef, aTmp.Len() + 1, ConvErrCount);
}
}
}
Index: source/filter/qpro/qprostyle.cxx
===================================================================
RCS file: /cvs/sc/sc/source/filter/qpro/qprostyle.cxx,v
retrieving revision 1.5
retrieving revision 1.5.194.1
diff -u -r1.5 -r1.5.194.1
--- openoffice.org.orig/sc/source/filter/qpro/qprostyle.cxx 10 May 2007 16:51:04 -0000 1.5
+++ openoffice.org/sc/source/filter/qpro/qprostyle.cxx 22 Nov 2007 11:00:25 -0000 1.5.194.1
@@ -64,8 +64,7 @@
#include "document.hxx"
#include "cell.hxx"
-ScQProStyle::ScQProStyle() :
- maFontLimit(0), maAlignLimit(0)
+ScQProStyle::ScQProStyle()
{
rtl_fillMemory (maAlign, sizeof (maAlign), 0);
rtl_fillMemory (maFont, sizeof (maFont), 0);
@@ -75,6 +74,9 @@
void ScQProStyle::SetFormat( ScDocument *pDoc, sal_uInt8 nCol, sal_uInt16 nRow, SCTAB nTab, sal_uInt16 nStyle )
{
+ if (nStyle >= maxsize)
+ return;
+
ScPatternAttr aPattern(pDoc->GetPool());
SfxItemSet& rItemSet = aPattern.GetItemSet();
Index: util/sot/source/sdstor/stgelem.cxx
diff -u util/sot/source/sdstor/stgelem.cxx:1.9 util/sot/source/sdstor/stgelem.cxx:1.9.52.1
--- openoffice.org.orig/sot/source/sdstor/stgelem.cxx Sun Sep 17 09:09:48 2006
+++ openoffice.org/sot/source/sdstor/stgelem.cxx Wed Jan 9 02:38:20 2008
@@ -388,8 +388,11 @@
UINT16 n = nNameLen;
if( n )
n = ( n >> 1 ) - 1;
- if( n > 31 )
+ if( n > 31 || nSize < 0 )
+ {
+ // TODO/LATER: actually the size should be an unsigned value, but in this case it would mean a stream of more than 2Gb
return FALSE;
+ }
aName = String( nName, n );
// I don't know the locale, so en_US is hopefully fine
Index: openoffice.org.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openoffice.org/F-7/openoffice.org.spec,v
retrieving revision 1.1207
retrieving revision 1.1208
diff -u -r1.1207 -r1.1208
--- openoffice.org.spec 5 Apr 2008 13:01:02 -0000 1.1207
+++ openoffice.org.spec 17 Apr 2008 07:17:19 -0000 1.1208
@@ -1,6 +1,6 @@
%define oootag OOG680
%define ooomilestone 6
-%define rh_rpm_release 7
+%define rh_rpm_release 8
# undef to get english only and no-langpacks for a faster smoketest build
%define langpacks 1
@@ -139,6 +139,7 @@
Patch72: workspace.hsql1808.patch
Patch73: openoffice.org-2.3.1.ooo83878.unopkg.enablelinking.patch
Patch74: openoffice.org-2.4.0.ooo86080.unopkg.bodge.patch
+Patch75: workspace.sjfixes03.patch
%define instdir %{_libdir}/openoffice.org
@@ -1076,6 +1077,7 @@
%patch72 -p1 -b .workspace.hsql1808.patch
%patch73 -p1 -b .ooo83878.unopkg.enablelinking.patch
%patch74 -p1 -b .ooo86080.unopkg.bodge.patch
+%patch75 -p1 -b .workspace.sjfixes03.patch
%if %{linkopt}
chmod a+x solenv/bin/mklinkscript.pl
@@ -2783,6 +2785,9 @@
%{instdir}/share/registry/modules/org/openoffice/Office/Scripting/Scripting-python.xcu
%changelog
+* Thu Apr 17 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.8
+- CVE-2007-5745, CVE-2007-5746, CVE-2007-5747, CVE-2008-0320
+
* Sat Apr 05 2008 Caolan McNamara <caolanm at redhat.com> - 1:2.3.0-6.7
- Resolves: rhbz#440650 mktemp has no --tmpdir on F-8
More information about the fedora-extras-commits
mailing list