[Libreoffice-commits] core.git: Branch 'libreoffice-5-3' - 2 commits - include/oox oox/source svtools/source
Michael Stahl
mstahl at redhat.com
Thu Sep 14 16:05:29 UTC 2017
include/oox/vml/vmlshapecontainer.hxx | 8 ++++----
include/oox/vml/vmlshapecontext.hxx | 9 +++++----
oox/source/vml/vmlshapecontainer.cxx | 4 ++--
oox/source/vml/vmlshapecontext.cxx | 30 ++++++++++++++++++------------
svtools/source/svrtf/svparser.cxx | 3 ++-
5 files changed, 31 insertions(+), 23 deletions(-)
New commits:
commit 756949c06b8bf933bcd13a226f449b8909cbf3ae
Author: Michael Stahl <mstahl at redhat.com>
Date: Thu Sep 7 23:01:26 2017 +0200
svtools: HTML import: don't put lone surrogates in OUString
The bytes "ed b3 b5" in fdo67610-1.doc (which, as the name indicates,
is an HTML file) are converted to the lone UTF-16 surrogate "dcf5",
which is inserted into SwTextNode and causes asserts later on.
The actual encoding of the HTML document is probably GBK (at least
VIM doesn't display any missing characters with that), but
because it doesn't contain any indication of its encoding
it's apparently imported as UTF-8; the ImplConvertUtf8ToUnicode()
thinking a surrogate code point is valid even if the Java-compatible
mode RTL_TEXTENCODING_JAVA_UTF8 is not specified is a bit of a
surprise.
[note: the master commit says "JSON-compatible mode" but i was
confusing different text encoding perversions there]
Change-Id: Idd788d9d461fed150171dd907439166f3075a834
(cherry picked from commit fc670f637d4271246691904fd649358ce2e7be59)
Reviewed-on: https://gerrit.libreoffice.org/42101
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/svtools/source/svrtf/svparser.cxx b/svtools/source/svrtf/svparser.cxx
index 0540e172be10..ca4f389b83b5 100644
--- a/svtools/source/svrtf/svparser.cxx
+++ b/svtools/source/svrtf/svparser.cxx
@@ -390,7 +390,8 @@ sal_uInt32 SvParser::GetNextChar()
while( 0 == nChars && !bErr );
}
- if ( ! rtl::isUnicodeCodePoint( c ) )
+ // Note: ImplConvertUtf8ToUnicode() may produce a surrogate!
+ if (!rtl::isUnicodeCodePoint(c) || rtl::isHighSurrogate(c) || rtl::isLowSurrogate(c))
c = (sal_uInt32) '?' ;
if( bErr )
commit 7c7c19d80e6a6327be563a18febc3854d9a38daf
Author: Michael Stahl <mstahl at redhat.com>
Date: Wed Sep 13 10:48:38 2017 +0200
tdf#112311 oox: fix UAF of std::shared_ptr
OOXMLFastContextHandlerShape::sendShape() deletes the parent context's
ShapeTypeContext::mrTypeModel.
It looks like the sendShape() can't be delayed because writerfilter
wants to import the v:textbox content into a text frame.
Keep the shape alive until the end of the containing context.
Not sure if it's going to process the v:fill element properly,
but at lest valgrind is happy.
(probably regression from CWS writerfilter32bugfixes01)
Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0
(cherry picked from commit 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b)
Reviewed-on: https://gerrit.libreoffice.org/42245
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/include/oox/vml/vmlshapecontainer.hxx b/include/oox/vml/vmlshapecontainer.hxx
index 76e294fc279d..692beafad555 100644
--- a/include/oox/vml/vmlshapecontainer.hxx
+++ b/include/oox/vml/vmlshapecontainer.hxx
@@ -61,10 +61,10 @@ public:
Drawing& getDrawing() { return mrDrawing; }
/** Creates and returns a new shape template object. */
- ShapeType& createShapeType();
+ std::shared_ptr<ShapeType> createShapeType();
/** Creates and returns a new shape object of the specified type. */
template< typename ShapeT >
- ShapeT& createShape();
+ std::shared_ptr<ShapeT> createShape();
/** Final processing after import of the drawing fragment. */
void finalizeFragmentImport();
@@ -123,11 +123,11 @@ private:
template< typename ShapeT >
-ShapeT& ShapeContainer::createShape()
+std::shared_ptr<ShapeT> ShapeContainer::createShape()
{
std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) );
maShapes.push_back( xShape );
- return *xShape;
+ return xShape;
}
template< typename Functor >
diff --git a/include/oox/vml/vmlshapecontext.hxx b/include/oox/vml/vmlshapecontext.hxx
index 1c1565b62397..14533b8b35ab 100644
--- a/include/oox/vml/vmlshapecontext.hxx
+++ b/include/oox/vml/vmlshapecontext.hxx
@@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase
public:
explicit ShapeTypeContext(
::oox::core::ContextHandler2Helper& rParent,
- ShapeType& rShapeType,
+ std::shared_ptr<ShapeType> const& pShapeType,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -113,6 +113,7 @@ private:
OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs, sal_Int32 nToken ) const;
private:
+ std::shared_ptr<ShapeType> m_pShapeType;
ShapeTypeModel& mrTypeModel;
};
@@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext
public:
explicit ShapeContext(
::oox::core::ContextHandler2Helper& rParent,
- ShapeBase& rShape,
+ std::shared_ptr<ShapeBase> pShape,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext
public:
explicit GroupShapeContext(
::oox::core::ContextHandler2Helper& rParent,
- GroupShape& rShape,
+ std::shared_ptr<GroupShape> pShape,
const AttributeList& rAttribs );
virtual ::oox::core::ContextHandlerRef
@@ -172,7 +173,7 @@ public:
explicit RectangleShapeContext(
::oox::core::ContextHandler2Helper& rParent,
const AttributeList& rAttribs,
- RectangleShape& rShape );
+ std::shared_ptr<RectangleShape> pShape);
virtual ::oox::core::ContextHandlerRef
onCreateContext( sal_Int32 nElement, const AttributeList& rAttribs ) override;
diff --git a/oox/source/vml/vmlshapecontainer.cxx b/oox/source/vml/vmlshapecontainer.cxx
index 055365202d5d..31359f862fba 100644
--- a/oox/source/vml/vmlshapecontainer.cxx
+++ b/oox/source/vml/vmlshapecontainer.cxx
@@ -59,11 +59,11 @@ ShapeContainer::~ShapeContainer()
{
}
-ShapeType& ShapeContainer::createShapeType()
+std::shared_ptr<ShapeType> ShapeContainer::createShapeType()
{
std::shared_ptr< ShapeType > xShape( new ShapeType( mrDrawing ) );
maTypes.push_back( xShape );
- return *xShape;
+ return xShape;
}
void ShapeContainer::finalizeFragmentImport()
diff --git a/oox/source/vml/vmlshapecontext.cxx b/oox/source/vml/vmlshapecontext.cxx
index dc654223aca6..0ed9ea735049 100644
--- a/oox/source/vml/vmlshapecontext.cxx
+++ b/oox/source/vml/vmlshapecontext.cxx
@@ -266,9 +266,12 @@ ContextHandlerRef ShapeContextBase::createShapeContext( ContextHandler2Helper& r
return nullptr;
}
-ShapeTypeContext::ShapeTypeContext( ContextHandler2Helper& rParent, ShapeType& rShapeType, const AttributeList& rAttribs ) :
- ShapeContextBase( rParent ),
- mrTypeModel( rShapeType.getTypeModel() )
+ShapeTypeContext::ShapeTypeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<ShapeType> const& pShapeType,
+ const AttributeList& rAttribs)
+ : ShapeContextBase(rParent)
+ , m_pShapeType(pShapeType) // tdf#112311 keep it alive
+ , mrTypeModel( pShapeType->getTypeModel() )
{
// shape identifier and shape name
bool bHasOspid = rAttribs.hasAttribute( O_TOKEN( spid ) );
@@ -429,10 +432,11 @@ void ShapeTypeContext::setStyle( const OUString& rStyle )
}
}
-ShapeContext::ShapeContext( ContextHandler2Helper& rParent, ShapeBase& rShape, const AttributeList& rAttribs ) :
- ShapeTypeContext( rParent, rShape, rAttribs ),
- mrShape( rShape ),
- mrShapeModel( rShape.getShapeModel() )
+ShapeContext::ShapeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs)
+ : ShapeTypeContext( rParent, pShape, rAttribs )
+ , mrShape( *pShape )
+ , mrShapeModel( pShape->getShapeModel() )
{
// collect shape specific attributes
mrShapeModel.maType = rAttribs.getXString( XML_type, OUString() );
@@ -519,9 +523,10 @@ void ShapeContext::setVmlPath( const OUString& rPath )
mrShapeModel.maVmlPath = rPath;
}
-GroupShapeContext::GroupShapeContext( ContextHandler2Helper& rParent, GroupShape& rShape, const AttributeList& rAttribs ) :
- ShapeContext( rParent, rShape, rAttribs ),
- mrShapes( rShape.getChildren() )
+GroupShapeContext::GroupShapeContext(ContextHandler2Helper& rParent,
+ std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs)
+ : ShapeContext( rParent, pShape, rAttribs )
+ , mrShapes( pShape->getChildren() )
{
}
@@ -533,8 +538,9 @@ ContextHandlerRef GroupShapeContext::onCreateContext( sal_Int32 nElement, const
return xContext.get() ? xContext : ShapeContext::onCreateContext( nElement, rAttribs );
}
-RectangleShapeContext::RectangleShapeContext( ContextHandler2Helper& rParent, const AttributeList& rAttribs, RectangleShape& rShape ) :
- ShapeContext( rParent, rShape, rAttribs )
+RectangleShapeContext::RectangleShapeContext(ContextHandler2Helper& rParent,
+ const AttributeList& rAttribs, std::shared_ptr<RectangleShape> pShape)
+ : ShapeContext( rParent, pShape, rAttribs )
{
}
More information about the Libreoffice-commits
mailing list