[Libreoffice-commits] core.git: Branch 'distro/collabora/cd-5.3' - 41 commits - accessibility/source download.lst external/expat filter/source hwpfilter/source lotuswordpro/source sal/textenc sc/qa sc/source sd/source svl/source svx/source sw/inc sw/qa sw/source vcl/source vcl/win xmloff/source
Caolán McNamara
caolanm at redhat.com
Fri Mar 2 11:33:24 UTC 2018
accessibility/source/extended/accessibletabbarbase.cxx | 2
download.lst | 4
external/expat/StaticLibrary_expat.mk | 1
external/expat/StaticLibrary_expat_x64.mk | 1
external/expat/UnpackedTarball_expat.mk | 1
filter/source/graphicfilter/icgm/class4.cxx | 6
filter/source/graphicfilter/icgm/class7.cxx | 45 ++++--
filter/source/graphicfilter/idxf/dxftblrd.cxx | 9 +
filter/source/graphicfilter/itiff/itiff.cxx | 9 -
hwpfilter/source/drawing.h | 2
hwpfilter/source/hinfo.h | 5
hwpfilter/source/hiodev.cxx | 3
hwpfilter/source/hpara.cxx | 23 +--
hwpfilter/source/hpara.h | 4
hwpfilter/source/hwpfile.cxx | 41 ++++--
hwpfilter/source/hwpfile.h | 4
hwpfilter/source/hwpread.cxx | 7 +
hwpfilter/source/hwpreader.cxx | 2
lotuswordpro/source/filter/lwpchangemgr.cxx | 2
lotuswordpro/source/filter/lwpfrib.cxx | 18 ++
lotuswordpro/source/filter/lwpfrib.hxx | 4
sal/textenc/tcvtkr6.tab | 6
sc/qa/unit/data/slk/pass/numfmt-2.slk | 1
sc/qa/unit/data/slk/pass/numfmt.slk | 2
sc/source/core/tool/compiler.cxx | 9 +
sc/source/filter/inc/formel.hxx | 30 +++-
sc/source/ui/docshell/impex.cxx | 30 ++++
sd/source/ui/dlg/sdpreslt.cxx | 2
svl/source/numbers/zforscan.cxx | 38 +++--
svx/source/unodraw/unoshape.cxx | 3
sw/inc/redline.hxx | 3
sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt |binary
sw/qa/core/data/odt/pass/tdf112017.odt |binary
sw/qa/core/data/odt/pass/tdf112101.odt |binary
sw/source/core/doc/DocumentRedlineManager.cxx | 68 ++++------
sw/source/core/doc/docredln.cxx | 12 -
sw/source/core/inc/DocumentRedlineManager.hxx | 1
sw/source/core/text/frmform.cxx | 15 +-
sw/source/filter/ww8/ww8graf.cxx | 2
sw/source/filter/ww8/ww8par.cxx | 10 -
sw/source/filter/ww8/ww8par.hxx | 10 -
sw/source/filter/ww8/ww8par2.cxx | 36 +++--
sw/source/filter/ww8/ww8par3.cxx | 6
sw/source/filter/ww8/ww8par6.cxx | 4
sw/source/filter/ww8/ww8scan.cxx | 61 ++++++--
sw/source/filter/ww8/ww8scan.hxx | 11 -
sw/source/uibase/dbui/dbtree.cxx | 6
sw/source/uibase/docvw/srcedtw.cxx | 3
sw/source/uibase/shells/textfld.cxx | 2
vcl/source/filter/ixpm/xpmread.cxx | 3
vcl/source/gdi/pngread.cxx | 8 -
vcl/win/gdi/salfont.cxx | 6
xmloff/source/style/xmlnumfi.cxx | 5
xmloff/source/text/txtparai.cxx | 5
54 files changed, 391 insertions(+), 200 deletions(-)
New commits:
commit c21ff57a2783097c156fec2aca46fa4c09cb27e6
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Feb 28 12:32:07 2017 +0000
backport various ofz findings
hwp: avoid low hanging invalid input
Change-Id: I06133d6db14edb9d915c38e4c120a9d0905495dd
(cherry picked from commit b9483aacadf443e57f7708f8db64aeeba4666f2a)
ofz#711: direct leak
Change-Id: I65ec47b4290d845f1803b20b93f149d35d9a60ea
(cherry picked from commit 86463ec54dcdc562121bdb57b1ac4e85b135b2df)
ofz: ReadBlock has to be HWPIDLen to be useful
Change-Id: Iaa349921972bb19b40bf68c6a3b0c7128cff4b8d
(cherry picked from commit 425572b9d510cee805dc4160d7e81887d8f27577)
ofz: oom in reading hwp data
Change-Id: I1e4dc5f474b229d4d68d3fc34bc23c88767e5e50
(cherry picked from commit 76201c60a9162804b502726a0150ca925ee08719)
Missing include
Change-Id: I2fb82e3c5a9b26b1016cf99e943cf0cc30225495
(cherry picked from commit 64cca8d6237ef90c3b222df36de257dbb859d99e)
ofz#860 clear old data before reading new data
Change-Id: I3bf5c2072a328052004c4c0551c2b125cb8ab19b
Reviewed-on: https://gerrit.libreoffice.org/35165
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit 65dcd1d8195069c8c8acb3a188b8e5616c51029c)
treat ParaShape like CharShape
(cherry picked from commit 00aeabb61d1d535684b05145bcc98a8d8a3e10ab)
Change-Id: I7870fdeee6bd097c94d7ae58b67506c4ab2a6fb5
Reviewed-on: https://gerrit.libreoffice.org/39651
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit 4f949e1c3f6a378eb9c04bc7107b8972815661ea)
diff --git a/hwpfilter/source/hinfo.h b/hwpfilter/source/hinfo.h
index d16da5d09013..7f1eee0657c7 100644
--- a/hwpfilter/source/hinfo.h
+++ b/hwpfilter/source/hinfo.h
@@ -23,6 +23,8 @@
#include "hwplib.h"
#include "string.h"
+#include <vector>
+
#define CHAIN_MAX_PATH 40
#define ANNOTATION_LEN 24
@@ -77,7 +79,7 @@ struct PaperBackInfo
int range; /* 0-????, 1-????????, 3-??????, 4-?????? */
char reserved3[27];
int size;
- char *data; // image data
+ std::vector<char> data; // image data
bool isset;
PaperBackInfo()
: type(0)
@@ -87,7 +89,6 @@ struct PaperBackInfo
, flag(0)
, range(0)
, size(0)
- , data(nullptr)
, isset(false)
{
memset(reserved1, 0, sizeof(reserved1));
diff --git a/hwpfilter/source/hpara.cxx b/hwpfilter/source/hpara.cxx
index cce909ead16e..a9a6fa2c147f 100644
--- a/hwpfilter/source/hpara.cxx
+++ b/hwpfilter/source/hpara.cxx
@@ -57,10 +57,10 @@ void LineInfo::Read(HWPFile & hwpf, HWPPara *pPara)
if( pex >> 15 & 0x01 )
{
- if( pex & 0x01 )
- hwpf.AddPage();
- pPara->pshape.reserved[0] = sal::static_int_cast<unsigned char>(pex & 0x01);
- pPara->pshape.reserved[1] = sal::static_int_cast<unsigned char>(pex & 0x02);
+ if (pex & 0x01)
+ hwpf.AddPage();
+ pPara->pshape->reserved[0] = sal::static_int_cast<unsigned char>(pex & 0x01);
+ pPara->pshape->reserved[1] = sal::static_int_cast<unsigned char>(pex & 0x02);
}
}
@@ -76,10 +76,11 @@ HWPPara::HWPPara()
, ctrlflag(0)
, pstyno(0)
, cshape(new CharShape)
+ , pshape(new ParaShape)
, linfo(nullptr)
{
memset(cshape.get(), 0, sizeof(CharShape));
- memset(&pshape, 0, sizeof(pshape));
+ memset(pshape.get(), 0, sizeof(ParaShape));
}
HWPPara::~HWPPara()
@@ -109,9 +110,9 @@ bool HWPPara::Read(HWPFile & hwpf, unsigned char flag)
/* Paragraph paragraphs shape */
if (nch && !reuse_shape)
{
- pshape.Read(hwpf);
- pshape.cshape = cshape.get();
- pshape.pagebreak = etcflag;
+ pshape->Read(hwpf);
+ pshape->cshape = cshape.get();
+ pshape->pagebreak = etcflag;
}
linfo = ::comphelper::newArray_null<LineInfo>(nline);
@@ -125,8 +126,8 @@ bool HWPPara::Read(HWPFile & hwpf, unsigned char flag)
}
if (nch && !reuse_shape){
- if( pshape.coldef.ncols > 1 ){
- hwpf.SetColumnDef( &pshape.coldef );
+ if( pshape->coldef.ncols > 1 ) {
+ hwpf.SetColumnDef(&(pshape->coldef));
}
}
@@ -173,7 +174,7 @@ bool HWPPara::Read(HWPFile & hwpf, unsigned char flag)
if (hhstr[ii]->hh == CH_END_PARA)
break;
if( hhstr[ii]->hh < CH_END_PARA )
- pshape.reserved[0] = 0;
+ pshape->reserved[0] = 0;
ii += hhstr[ii]->WSize();
}
return nch && !hwpf.State();
diff --git a/hwpfilter/source/hpara.h b/hwpfilter/source/hpara.h
index b598c201b569..9810853e4245 100644
--- a/hwpfilter/source/hpara.h
+++ b/hwpfilter/source/hpara.h
@@ -104,7 +104,7 @@ class DLLEXPORT HWPPara
unsigned long ctrlflag;
unsigned char pstyno;
std::shared_ptr<CharShape> cshape; /* When characters are all the same shape */
- ParaShape pshape; /* if reuse flag is 0, */
+ std::shared_ptr<ParaShape> pshape; /* if reuse flag is 0, */
LineInfo *linfo;
std::vector<std::shared_ptr<CharShape>> cshapep;
@@ -128,7 +128,7 @@ class DLLEXPORT HWPPara
/**
* Returns the style of paragraph.
*/
- ParaShape& GetParaShape(void) { return pshape;}
+ ParaShape& GetParaShape(void) { return *pshape; }
/**
* Returns next paragraph.
diff --git a/hwpfilter/source/hwpfile.cxx b/hwpfilter/source/hwpfile.cxx
index 96395da5c6da..326c428d98f7 100644
--- a/hwpfilter/source/hwpfile.cxx
+++ b/hwpfilter/source/hwpfile.cxx
@@ -19,6 +19,7 @@
#include "precompile.h"
+#include <algorithm>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -124,7 +125,7 @@ int HWPFile::Open(HStream * stream)
char idstr[HWPIDLen];
- if (ReadBlock(idstr, HWPIDLen) <= 0
+ if (ReadBlock(idstr, HWPIDLen) < HWPIDLen
|| HWP_V30 != (version = detect_hwp_version(idstr)))
{
return SetState(HWP_UNSUPPORTED_VERSION);
@@ -261,9 +262,9 @@ bool HWPFile::ReadParaList(std::list < HWPPara* > &aplist, unsigned char flag)
spNode->reuse_shape = 0;
}
}
- spNode->pshape.pagebreak = spNode->etcflag;
- if( spNode->nch )
- AddParaShape( &spNode->pshape );
+ spNode->pshape->pagebreak = spNode->etcflag;
+ if (spNode->nch)
+ AddParaShape(spNode->pshape);
if (!aplist.empty())
aplist.back()->SetNext(spNode.get());
@@ -347,8 +348,30 @@ void HWPFile::TagsRead()
if (!Read4b(_hwpInfo.back_info.size))
return;
- _hwpInfo.back_info.data = new char[(unsigned int)_hwpInfo.back_info.size];
- ReadBlock(_hwpInfo.back_info.data, _hwpInfo.back_info.size);
+ if (_hwpInfo.back_info.size < 0)
+ {
+ _hwpInfo.back_info.size = 0;
+ return;
+ }
+
+ _hwpInfo.back_info.data.clear();
+
+ //read potentially compressed data in blocks as its more
+ //likely large values are simply broken and we'll run out
+ //of data before we need to realloc
+ for (int i = 0; i < _hwpInfo.back_info.size; i+= SAL_MAX_UINT16)
+ {
+ int nOldSize = _hwpInfo.back_info.data.size();
+ size_t nBlock = std::min<int>(SAL_MAX_UINT16, _hwpInfo.back_info.size - nOldSize);
+ _hwpInfo.back_info.data.resize(nOldSize + nBlock);
+ size_t nReadBlock = ReadBlock(_hwpInfo.back_info.data.data() + nOldSize, nBlock);
+ if (nBlock != nReadBlock)
+ {
+ _hwpInfo.back_info.data.resize(nOldSize + nReadBlock);
+ break;
+ }
+ }
+ _hwpInfo.back_info.size = _hwpInfo.back_info.data.size();
if( _hwpInfo.back_info.size > 0 )
_hwpInfo.back_info.type = 2;
@@ -450,7 +473,7 @@ ParaShape *HWPFile::getParaShape(int index)
{
if (index < 0 || static_cast<unsigned int>(index) >= pslist.size())
return nullptr;
- return pslist[index];
+ return pslist[index].get();
}
CharShape *HWPFile::getCharShape(int index)
@@ -495,7 +518,7 @@ Table *HWPFile::getTable(int index)
return tables[index];
}
-void HWPFile::AddParaShape(ParaShape * pshape)
+void HWPFile::AddParaShape(std::shared_ptr<ParaShape>& pshape)
{
int nscount = 0;
for(int j = 0 ; j < MAXTABS-1 ; j++)
@@ -516,7 +539,7 @@ void HWPFile::AddParaShape(ParaShape * pshape)
if( nscount )
pshape->tabs[MAXTABS-1].type = sal::static_int_cast<char>(nscount);
- int value = compareParaShape(pshape);
+ int value = compareParaShape(pshape.get());
if( value == 0 || nscount )
{
diff --git a/hwpfilter/source/hwpfile.h b/hwpfilter/source/hwpfile.h
index 7f3d29f80225..d58faa569a7b 100644
--- a/hwpfilter/source/hwpfile.h
+++ b/hwpfilter/source/hwpfile.h
@@ -212,7 +212,7 @@ class DLLEXPORT HWPFile
void AddPage(){ m_nCurrentPage++;}
void AddColumnInfo();
void SetColumnDef(ColumnDef *coldef);
- void AddParaShape(ParaShape *);
+ void AddParaShape(std::shared_ptr<ParaShape>&);
void AddCharShape(std::shared_ptr<CharShape>&);
void AddFBoxStyle(FBoxStyle *);
void AddDateFormat(DateCode *);
@@ -283,7 +283,7 @@ class DLLEXPORT HWPFile
std::list<EmPicture*> emblist;
std::list<HyperText*> hyperlist;
int currenthyper;
- std::vector<ParaShape*> pslist; /* 스타오피스의 구조상 필요 */
+ std::vector<std::shared_ptr<ParaShape>> pslist; /* 스타오피스의 구조상 필요 */
std::vector<std::shared_ptr<CharShape>> cslist;
std::vector<FBoxStyle*> fbslist;
std::vector<DateCode*> datecodes;
diff --git a/hwpfilter/source/hwpreader.cxx b/hwpfilter/source/hwpreader.cxx
index e3315a60231e..cf18962469c3 100644
--- a/hwpfilter/source/hwpreader.cxx
+++ b/hwpfilter/source/hwpreader.cxx
@@ -1737,7 +1737,7 @@ void HwpReader::makePageStyle()
if( hwpinfo.back_info.type == 2 ){
rstartEl("office:binary-data", mxList.get());
mxList->clear();
- std::shared_ptr<char> pStr(base64_encode_string(reinterpret_cast<unsigned char *>(hwpinfo.back_info.data), hwpinfo.back_info.size ), Free<char>());
+ std::shared_ptr<char> pStr(base64_encode_string(reinterpret_cast<unsigned char *>(hwpinfo.back_info.data.data()), hwpinfo.back_info.size ), Free<char>());
rchars(ascii(pStr.get()));
rendEl("office:binary-data");
}
commit 72bbbcd3dafb4b88180c8a14f554f845c0e6f2af
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Jul 6 08:51:01 2017 +0100
ofz: stay inside string
Change-Id: Ia0d0ddfce4ee3d5f8763be6804fe52c514375bb3
Reviewed-on: https://gerrit.libreoffice.org/39629
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit 073a2b2aef5c0b579aea8ed203dd9c1c5790b650)
Reviewed-on: https://gerrit.libreoffice.org/39645
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit e2be5d28877a817ae302b3dca7af2f71597a912f)
diff --git a/sw/source/filter/ww8/ww8par3.cxx b/sw/source/filter/ww8/ww8par3.cxx
index 58a27bba8ac1..7b1c37c76bdf 100644
--- a/sw/source/filter/ww8/ww8par3.cxx
+++ b/sw/source/filter/ww8/ww8par3.cxx
@@ -234,7 +234,7 @@ eF_ResT SwWW8ImplReader::Read_F_FormListBox( WW8FieldDesc* pF, OUString& rStr)
{
WW8FormulaListBox aFormula(*this);
- if (rStr[pF->nLCode-1]==0x01)
+ if (pF->nLCode > 0 && rStr.getLength() >= pF->nLCode && rStr[pF->nLCode-1] == 0x01)
ImportFormulaControl(aFormula,pF->nSCode+pF->nLCode-1, WW8_CT_DROPDOWN);
const SvtFilterOptions& rOpt = SvtFilterOptions::Get();
commit b4a6288f4e104e87b31d8e6f9e7173b6f4b69eff
Author: Michael Stahl <mstahl at redhat.com>
Date: Fri Jun 30 15:23:15 2017 +0200
tdf#108838 accessibility: fix horrible memory leak in AccessibleTabBarBase
Reproducing tdf#108833 failed because applying the Master Page takes
> 2 hours; the time is spent calling vcl::Window listeners, of which
there were some 39525 after a couple minutes, almost all of which
AccessibleTabBarBase.
AccessibleTabBarBase::WindowEventListener() has an inverted condition
that suppresses the event that is generated from TabBar::Clear()
and thus when DrawViewShell::ResetActualPage() calls Clear() no
AccessibleTabBarPage is removed but then the InsertPage() calls create
duplicate objects that again register as listeners.
The condition is obviously inverted given the CVS commit message:
1.2.88.1
log
@#135353# do not pass VCLEVENT_TABBAR_PAGEREMOVED (all) to objects other than AccessibleTabBarPageList
@
text
a69 8
if( ( pWinEvent->GetId() == VCLEVENT_TABBAR_PAGEREMOVED ) &&
( (sal_uInt16)(sal_IntPtr) pWinEvent->GetData() == TAB_PAGE_NOTFOUND ) &&
( dynamic_cast< AccessibleTabBarPageList *> (this) != NULL ) )
{
return 0;
}
Change-Id: I2a3b86bbd0f0251a966f41b316a3b313517df24f
(cherry picked from commit b2b085441dc79fb78607dbf1969c12a40db58214)
Reviewed-on: https://gerrit.libreoffice.org/39416
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Noel Grandin <noel.grandin at collabora.co.uk>
Reviewed-by: Eike Rathke <erack at redhat.com>
(cherry picked from commit 5f345e3a19bf7cad56951ed90fdf78f03a15b96a)
diff --git a/accessibility/source/extended/accessibletabbarbase.cxx b/accessibility/source/extended/accessibletabbarbase.cxx
index f75d4572a789..b137da3acdd5 100644
--- a/accessibility/source/extended/accessibletabbarbase.cxx
+++ b/accessibility/source/extended/accessibletabbarbase.cxx
@@ -50,7 +50,7 @@ IMPL_LINK( AccessibleTabBarBase, WindowEventListener, VclWindowEvent&, rEvent, v
if( ( rEvent.GetId() == VCLEVENT_TABBAR_PAGEREMOVED ) &&
( (sal_uInt16)reinterpret_cast<sal_IntPtr>(rEvent.GetData()) == TabBar::PAGE_NOT_FOUND ) &&
- ( dynamic_cast< AccessibleTabBarPageList *> (this) != nullptr ) )
+ (dynamic_cast<AccessibleTabBarPageList *>(this) == nullptr))
{
return;
}
commit 89a956e73826d5202e78616fa4e355baf76024ba
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Jul 27 21:23:49 2017 +0100
ofz#2759 null dereference
(cherry picked from commit 6f5841e60ed29ae2577e63623edacc9fe1467ba5)
Change-Id: I23671f0cea592c92a05b34b3cf284a47a73962b1
Reviewed-on: https://gerrit.libreoffice.org/40506
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit 26222c3baca76eaed5f45dde4592a059e0e4a85d)
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 81fbe705c5f8..83b8a5fbb1a8 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -435,14 +435,16 @@ long SwWW8ImplReader::Read_Footnote(WW8PLCFManResult* pRes)
if (eEDN == pRes->nSprmId)
{
aDesc.meType = MAN_EDN;
- if (m_pPlcxMan->GetEdn())
- aDesc.mbAutoNum = 0 != *static_cast<short const *>(m_pPlcxMan->GetEdn()->GetData());
+ WW8PLCFx_SubDoc* pEndNote = m_pPlcxMan->GetEdn();
+ if (const void* pData = pEndNote ? pEndNote->GetData() : nullptr)
+ aDesc.mbAutoNum = 0 != *static_cast<short const*>(pData);
}
else
{
aDesc.meType = MAN_FTN;
- if (m_pPlcxMan->GetFootnote())
- aDesc.mbAutoNum = 0 != *static_cast<short const *>(m_pPlcxMan->GetFootnote()->GetData());
+ WW8PLCFx_SubDoc* pFootNote = m_pPlcxMan->GetFootnote();
+ if (const void* pData = pFootNote ? pFootNote->GetData() : nullptr)
+ aDesc.mbAutoNum = 0 != *static_cast<short const*>(pData);
}
aDesc.mnStartCp = pRes->nCp2OrIdx;
commit fc24049eb094a089a7de06ee73faf73c7ac02372
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Jul 28 11:53:46 2017 +0100
ofz: survive missing macro support
Change-Id: Ica9c66fe09f7340f76f62e536527dc63b3735d90
(cherry picked from commit aa529a1957fce324c500753039ae7766b8dcf6a6)
Reviewed-on: https://gerrit.libreoffice.org/40523
Reviewed-by: Eike Rathke <erack at redhat.com>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit a9a1306266e2fc67e8ac3029584d7a264fe37ff0)
diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx
index 77760218215a..d183044245f6 100644
--- a/sc/source/core/tool/compiler.cxx
+++ b/sc/source/core/tool/compiler.cxx
@@ -3339,6 +3339,9 @@ bool ScCompiler::IsMacro( const OUString& rName )
return false;
}
+ if (!pObj)
+ return false;
+
// ODFF recommends to store user-defined functions prefixed with "USER.",
// use only unprefixed name if encountered. BASIC doesn't allow '.' in a
// function name so a function "USER.FOO" could not exist, and macro check
commit a0ade7d174615e46583066728f8ddc0c80326b1d
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 3 17:24:32 2017 +0100
Resolves: tdf#111308 crash after load designs with no design selected
Change-Id: Ia7d5e1d0c4c960700d94cfec01a8a01799f89d9a
Reviewed-on: https://gerrit.libreoffice.org/40732
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit e325a5442ab350e8eb66458aed98d38ce21aec06)
Reviewed-on: https://gerrit.libreoffice.org/40750
Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
(cherry picked from commit 2b4ebf00d21f6305966c78f82336f9ac76425804)
diff --git a/sd/source/ui/dlg/sdpreslt.cxx b/sd/source/ui/dlg/sdpreslt.cxx
index e406177a91ec..2652baeaa930 100644
--- a/sd/source/ui/dlg/sdpreslt.cxx
+++ b/sd/source/ui/dlg/sdpreslt.cxx
@@ -120,7 +120,7 @@ void SdPresLayoutDlg::GetAttr(SfxItemSet& rOutAttrs)
{
aLayoutName = maName + "#" + maLayoutNames[ nId - 1 ];
}
- else
+ else if (nId)
{
aLayoutName = maLayoutNames[ nId - 1 ];
if( aLayoutName == maStrNone )
commit c6dab7b17c832336a921c1198622fe0baef3467d
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 3 14:03:27 2017 +0100
CVE-2017-11742: Expat 2.2.3
Reviewed-on: https://gerrit.libreoffice.org/40718
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit f680e5a441cecba4d238f031fc417ef3bccfd792)
Change-Id: I1a1de789eaa5a78d2dc0e41ef861d10fa97b689b
Reviewed-on: https://gerrit.libreoffice.org/40749
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
(cherry picked from commit 2351570154e43fe919e5b9dd756bbe13a6b9c60d)
diff --git a/download.lst b/download.lst
index ba8f7321a739..208af14b95c4 100644
--- a/download.lst
+++ b/download.lst
@@ -33,8 +33,8 @@ export EPM_TARBALL := 3ade8cfe7e59ca8e65052644fed9fca4-epm-3.7.tar.gz
export ETONYEK_MD5SUM := 77ff46936dcc83670557274e7dd2aa33
export ETONYEK_VERSION_MICRO := 6
export ETONYEK_TARBALL := libetonyek-0.1.$(ETONYEK_VERSION_MICRO).tar.bz2
-export EXPAT_MD5SUM := d9c3baeab58774cefc2f04faf29f2cf8
-export EXPAT_TARBALL := expat-2.2.1.tar.bz2
+export EXPAT_MD5SUM := f053af63ef5f39bd9b78d01fbc203334
+export EXPAT_TARBALL := expat-2.2.3.tar.bz2
export FIREBIRD_MD5SUM := 821260b61dafc22899d1464d4e91ee6a
export FIREBIRD_TARBALL := Firebird-3.0.0.32483-0.tar.bz2
export FONTCONFIG_MD5SUM := 733f5e2371ca77b69707bd7b30cc2163
diff --git a/external/expat/StaticLibrary_expat.mk b/external/expat/StaticLibrary_expat.mk
index 4d6957f9ef52..5a7d43d6c9bd 100644
--- a/external/expat/StaticLibrary_expat.mk
+++ b/external/expat/StaticLibrary_expat.mk
@@ -48,6 +48,7 @@ $(eval $(call gb_StaticLibrary_add_cflags,expat,\
))
$(eval $(call gb_StaticLibrary_add_generated_cobjects,expat,\
+ UnpackedTarball/expat/lib/loadlibrary \
UnpackedTarball/expat/lib/xmlparse \
UnpackedTarball/expat/lib/xmlrole \
UnpackedTarball/expat/lib/xmltok \
diff --git a/external/expat/StaticLibrary_expat_x64.mk b/external/expat/StaticLibrary_expat_x64.mk
index a38ba28c80dd..4f92d0fb284e 100644
--- a/external/expat/StaticLibrary_expat_x64.mk
+++ b/external/expat/StaticLibrary_expat_x64.mk
@@ -25,6 +25,7 @@ $(eval $(call gb_StaticLibrary_add_defs,expat_x64,\
))
$(eval $(call gb_StaticLibrary_add_x64_generated_cobjects,expat_x64,\
+ UnpackedTarball/expat/lib/loadlibrary_x64 \
UnpackedTarball/expat/lib/xmlparse_x64 \
UnpackedTarball/expat/lib/xmltok_x64 \
UnpackedTarball/expat/lib/xmlrole_x64 \
diff --git a/external/expat/UnpackedTarball_expat.mk b/external/expat/UnpackedTarball_expat.mk
index 60e933d76090..f90fc8552568 100644
--- a/external/expat/UnpackedTarball_expat.mk
+++ b/external/expat/UnpackedTarball_expat.mk
@@ -24,6 +24,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,expat,\
$(eval $(call gb_UnpackedTarball_set_post_action,expat,\
$(if $(filter $(BUILD_X64),TRUE), \
+ cp lib/loadlibrary.c lib/loadlibrary_x64.c && \
cp lib/xmlparse.c lib/xmlparse_x64.c && \
cp lib/xmltok.c lib/xmltok_x64.c && \
cp lib/xmlrole.c lib/xmlrole_x64.c) \
commit fdb9db49eb9a0b51f70f7848f0e5dd3708cfce7c
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Jul 28 10:07:50 2017 +0100
ofz#2766 ensure palette is large enough for all colors
Change-Id: I4669b473f5975ac74a37025f7c936f13bcfea420
Reviewed-on: https://gerrit.libreoffice.org/40513
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 133010a0efc8715f95e0ea0f66c22352dd55654a)
diff --git a/filter/source/graphicfilter/itiff/itiff.cxx b/filter/source/graphicfilter/itiff/itiff.cxx
index db1ddccd1e64..7031d7daee30 100644
--- a/filter/source/graphicfilter/itiff/itiff.cxx
+++ b/filter/source/graphicfilter/itiff/itiff.cxx
@@ -1111,7 +1111,7 @@ void TIFFReader::MakePalCol()
{
if ( nDstBitsPerPixel <= 8 )
{
- sal_uLong i, nVal, n0RGB;
+ sal_uLong nVal, n0RGB;
if ( pColorMap == nullptr )
pColorMap = new sal_uLong[ 256 ];
if ( nPhotometricInterpretation <= 1 )
@@ -1124,8 +1124,8 @@ void TIFFReader::MakePalCol()
SAL_WARN("filter.tiff", "palette has less entries that largest index used. Expanding palette to match");
nNumColors = nLargestPixelIndex + 1;
}
- pAcc->SetPaletteEntryCount( (sal_uInt16)nNumColors );
- for ( i = 0; i < nNumColors; i++ )
+
+ for (sal_uLong i = 0; i < nNumColors; ++i)
{
nVal = ( i * 255 / ( nNumColors - 1 ) ) & 0xff;
n0RGB = nVal | ( nVal << 8 ) | ( nVal << 16 );
@@ -1135,7 +1135,8 @@ void TIFFReader::MakePalCol()
pColorMap[ nNumColors - i - 1 ] = n0RGB;
}
}
- for ( i = 0; i < nNumColors; i++ )
+ pAcc->SetPaletteEntryCount(std::max<sal_uInt16>(nNumColors, pAcc->GetPaletteEntryCount()));
+ for (sal_uLong i = 0; i < nNumColors; ++i)
{
pAcc->SetPaletteColor( (sal_uInt16)i, BitmapColor( (sal_uInt8)( pColorMap[ i ] >> 16 ),
(sal_uInt8)( pColorMap[ i ] >> 8 ), (sal_uInt8)pColorMap[ i ] ) );
commit b111e88c1b983209d3a0fbc58018326f39d021e5
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 3 14:37:30 2017 +0100
ofz#2846 null deref
Change-Id: I88b61d7a4faaed118db8df6f99cef08310c1f2eb
Reviewed-on: https://gerrit.libreoffice.org/40726
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit c349ea47a72c92d39aed4649afe493dc7911229e)
diff --git a/hwpfilter/source/hwpread.cxx b/hwpfilter/source/hwpread.cxx
index 608fd0371da2..72aee0f3974a 100644
--- a/hwpfilter/source/hwpread.cxx
+++ b/hwpfilter/source/hwpread.cxx
@@ -431,6 +431,13 @@ bool Picture::Read(HWPFile & hwpf)
UpdateBBox(this);
if( pictype != PICTYPE_DRAW )
style.cell = reserved3;
+ else
+ {
+ //picinfo.picun read above is unioned with
+ //picinfo.picdraw and so wrote to the hdo pointer
+ //value, which is definitely not useful to us
+ picinfo.picdraw.hdo = nullptr;
+ }
if (follow_block_size != 0)
{
commit c71e3d07490a0bd14958abd80ea3d448626a497b
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Aug 2 09:39:43 2017 +0100
Resolves: ofz#2833 null deref
Change-Id: I021a716aa76d430a1d3c6fac2dddec4daa01e563
Reviewed-on: https://gerrit.libreoffice.org/40669
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 40ca8f569c9c7f24e94af3688ff32f5679c2f8f8)
diff --git a/sc/qa/unit/data/slk/pass/numfmt.slk b/sc/qa/unit/data/slk/pass/numfmt.slk
new file mode 100644
index 000000000000..85ea7b65c8f2
--- /dev/null
+++ b/sc/qa/unit/data/slk/pass/numfmt.slk
@@ -0,0 +1,2 @@
+
+P;Pÿ s ÿ0 0
\ No newline at end of file
diff --git a/svl/source/numbers/zforscan.cxx b/svl/source/numbers/zforscan.cxx
index d9dd9a69e294..4098fc9e85b3 100644
--- a/svl/source/numbers/zforscan.cxx
+++ b/svl/source/numbers/zforscan.cxx
@@ -2350,17 +2350,20 @@ sal_Int32 ImpSvNumberformatScan::FinalScan( OUString& rString )
nTypeArray[i] = NF_SYMBOLTYPE_DIGIT;
OUString& rStr = sStrArray[i];
i++;
- nPos = nPos + sStrArray[i].getLength();
- nCounter++;
- while (i < nAnzStrings &&
- sStrArray[i][0] == '0')
+ if (i < nAnzStrings)
{
- rStr += sStrArray[i];
nPos = nPos + sStrArray[i].getLength();
- nTypeArray[i] = NF_SYMBOLTYPE_EMPTY;
- nAnzResStrings--;
nCounter++;
- i++;
+ while (i < nAnzStrings &&
+ sStrArray[i][0] == '0')
+ {
+ rStr += sStrArray[i];
+ nPos = nPos + sStrArray[i].getLength();
+ nTypeArray[i] = NF_SYMBOLTYPE_EMPTY;
+ nAnzResStrings--;
+ nCounter++;
+ i++;
+ }
}
}
else
commit e39caf210e25598520828b77084863d146034d25
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Aug 4 09:45:40 2017 +0100
ofz#2852 korean table entries start at 0xF not 0x7
Change-Id: Iaf3ed48d0eb0e5a57770af057c565a7310bb96d4
Reviewed-on: https://gerrit.libreoffice.org/40763
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit c28ceacf6a1aedb4c965a513c72f7570244fbb6f)
diff --git a/sal/textenc/tcvtkr6.tab b/sal/textenc/tcvtkr6.tab
index d769bac449ee..fab6c6131a5f 100644
--- a/sal/textenc/tcvtkr6.tab
+++ b/sal/textenc/tcvtkr6.tab
@@ -388,7 +388,7 @@ static ImplUniToDBCSHighTab const aKSC5601DBCSHighTab[256] =
{ 0x07, 0xFE, aImplUniToDBCSTab_KSC5601_5D }, /* 0x5D */
{ 0x02, 0xFB, aImplUniToDBCSTab_KSC5601_5E }, /* 0x5E */
{ 0x01, 0xFF, aImplUniToDBCSTab_KSC5601_5F }, /* 0x5F */
- { 0x07, 0xFB, aImplUniToDBCSTab_KSC5601_60 }, /* 0x60 */
+ { 0x0F, 0xFB, aImplUniToDBCSTab_KSC5601_60 }, /* 0x60 */
{ 0x01, 0xFF, aImplUniToDBCSTab_KSC5601_61 }, /* 0x61 */
{ 0x00, 0xFF, aImplUniToDBCSTab_KSC5601_62 }, /* 0x62 */
{ 0x01, 0xF7, aImplUniToDBCSTab_KSC5601_63 }, /* 0x63 */
@@ -1020,7 +1020,7 @@ static ImplUniToDBCSHighTab const aJOHABDBCSHighTab[256] =
{ 0x07, 0xFE, aImplUniToDBCSTab_JOHAB_5D }, /* 0x5D */
{ 0x02, 0xFB, aImplUniToDBCSTab_JOHAB_5E }, /* 0x5E */
{ 0x01, 0xFF, aImplUniToDBCSTab_JOHAB_5F }, /* 0x5F */
- { 0x07, 0xFB, aImplUniToDBCSTab_JOHAB_60 }, /* 0x60 */
+ { 0x0F, 0xFB, aImplUniToDBCSTab_JOHAB_60 }, /* 0x60 */
{ 0x01, 0xFF, aImplUniToDBCSTab_JOHAB_61 }, /* 0x61 */
{ 0x00, 0xFF, aImplUniToDBCSTab_JOHAB_62 }, /* 0x62 */
{ 0x01, 0xF7, aImplUniToDBCSTab_JOHAB_63 }, /* 0x63 */
commit 48976e294b1cae760b276fdd1d1a0af9fef3b0d1
Author: Caolán McNamara <caolanm at redhat.com>
Date: Sat Aug 5 19:15:36 2017 +0100
ofz#2867 null deref
Reviewed-on: https://gerrit.libreoffice.org/40792
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit 42b894f80a6d0c39bb0f7092eb204a15c22c4f38)
Change-Id: If856473683685d79d88b024f7fafa2920b403bb7
Reviewed-on: https://gerrit.libreoffice.org/40794
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit 12569ca783263be8797ff19b532a9f03c34b4c2a)
diff --git a/sc/qa/unit/data/slk/pass/numfmt-2.slk b/sc/qa/unit/data/slk/pass/numfmt-2.slk
new file mode 100644
index 000000000000..5989cdc3e64e
--- /dev/null
+++ b/sc/qa/unit/data/slk/pass/numfmt-2.slk
@@ -0,0 +1 @@
+P;Pÿ ÿ ÿ ÿ ÿ dÿ Sÿ0
\ No newline at end of file
diff --git a/svl/source/numbers/zforscan.cxx b/svl/source/numbers/zforscan.cxx
index 363a6219137e..d9dd9a69e294 100644
--- a/svl/source/numbers/zforscan.cxx
+++ b/svl/source/numbers/zforscan.cxx
@@ -2500,17 +2500,20 @@ sal_Int32 ImpSvNumberformatScan::FinalScan( OUString& rString )
nTypeArray[i] = NF_SYMBOLTYPE_DIGIT;
OUString& rStr = sStrArray[i];
i++;
- nPos = nPos + sStrArray[i].getLength();
- nCounter++;
- while (i < nAnzStrings &&
- sStrArray[i][0] == '0')
+ if (i < nAnzStrings)
{
- rStr += sStrArray[i];
nPos = nPos + sStrArray[i].getLength();
- nTypeArray[i] = NF_SYMBOLTYPE_EMPTY;
- nAnzResStrings--;
nCounter++;
- i++;
+ while (i < nAnzStrings &&
+ sStrArray[i][0] == '0')
+ {
+ rStr += sStrArray[i];
+ nPos = nPos + sStrArray[i].getLength();
+ nTypeArray[i] = NF_SYMBOLTYPE_EMPTY;
+ nAnzResStrings--;
+ nCounter++;
+ i++;
+ }
}
}
else
commit ca18641d824a08782c15e065fe06ee99583c89d8
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 7 19:24:37 2017 +0100
ofz#2877: crash in SVTB16Short
sal_uInt16 wraparound
Change-Id: Ifd791bdd5f1b96576fdd4ca6665bb972fb8b1e4c
Reviewed-on: https://gerrit.libreoffice.org/40853
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Markus Mohrhard <markus.mohrhard at googlemail.com>
(cherry picked from commit 19925f85fd3f9cf0cf82e8bcb0a4e90922879dc7)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index bb7670b9d2e0..422211a9abb3 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3506,7 +3506,7 @@ bool WW8PLCFx_SEPX::Find4Sprms(sal_uInt16 nId1,sal_uInt16 nId2,sal_uInt16 nId3,s
p4 = nullptr;
sal_uInt8* pSp = pSprms;
- sal_uInt16 i=0;
+ size_t i = 0;
while (i + maSprmParser.MinSprmLen() <= nSprmSiz)
{
// Sprm found?
commit b06774cc503522b6dc59b4b29e3774da5e73a7d4
Author: Caolán McNamara <caolanm at redhat.com>
Date: Thu Aug 10 16:56:13 2017 +0100
ofz#2899 increment pos before check, like all the other cases
Change-Id: Id49f747e36f767a3e82fc3610959eb94015a93d7
Reviewed-on: https://gerrit.libreoffice.org/40986
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit 6ca0958555f24e2a384740669adceb6cf3c7e3b8)
diff --git a/hwpfilter/source/drawing.h b/hwpfilter/source/drawing.h
index 1967ddffed1c..52a67be5365d 100644
--- a/hwpfilter/source/drawing.h
+++ b/hwpfilter/source/drawing.h
@@ -318,8 +318,6 @@ static bool LoadCommonHeader(HWPDrawingObject * hdo, unsigned short * link_info)
static HWPDrawingObject *LoadDrawingObject(void)
{
- fprintf(stderr, "LoadDrawingObject\n");
-
HWPDrawingObject *hdo, *head, *prev;
unsigned short link_info;
diff --git a/hwpfilter/source/hiodev.cxx b/hwpfilter/source/hiodev.cxx
index 45ccb987bcd5..da02aadc800e 100644
--- a/hwpfilter/source/hiodev.cxx
+++ b/hwpfilter/source/hiodev.cxx
@@ -308,9 +308,10 @@ bool HMemIODev::setCompressed(bool )
bool HMemIODev::read1b(unsigned char &out)
{
+ ++pos;
if (pos <= length)
{
- out = ptr[pos++];
+ out = ptr[pos - 1];
return true;
}
return false;
commit 6ebb8c756be3b88aa687ab65009839e95c7a47eb
Author: Michael Stahl <mstahl at redhat.com>
Date: Thu Aug 24 13:56:35 2017 +0200
tdf#111934 xmloff: ODF import: self-referential conditional style crash
It's invalid input and also causes stack overflow.
(cherry picked from commit 9fe857b7bd126ff4856fc4689d375881653b97a2)
tdf#111934: add document for filters-tests
Thanks to infostud91 at gmail.com for the document; unfortunately git
tells me that i can't set the commit author to just an email address.
(cherry picked from commit 6e090b4272b8fa12d2032ff0c0ea4bfb24c0d2d2)
Change-Id: Ie0b9dcaefcfcf254326151f345f4802ed66b994d
Reviewed-on: https://gerrit.libreoffice.org/41535
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit f07bb0fed885f7a13c08f2bc3203e727db7cef1c)
diff --git a/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt b/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt
new file mode 100644
index 000000000000..7d823df75213
Binary files /dev/null and b/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt differ
diff --git a/xmloff/source/style/xmlnumfi.cxx b/xmloff/source/style/xmlnumfi.cxx
index ccd8158ead14..85c6cfe47289 100644
--- a/xmloff/source/style/xmlnumfi.cxx
+++ b/xmloff/source/style/xmlnumfi.cxx
@@ -1692,6 +1692,11 @@ sal_Int32 SvXMLNumFormatContext::CreateAndInsert(SvNumberFormatter* pFormatter)
{
SvXMLNumFormatContext* pStyle = const_cast<SvXMLNumFormatContext*>( static_cast<const SvXMLNumFormatContext *>(pStyles->FindStyleChildContext(
XML_STYLE_FAMILY_DATA_STYLE, aMyConditions[i].sMapName)));
+ if (this == pStyle)
+ {
+ SAL_INFO("xmloff.style", "invalid style:map references containing style");
+ pStyle = nullptr;
+ }
if (pStyle)
{
if ((pStyle->PrivateGetKey() > -1)) // don't reset pStyle's bRemoveAfterUse flag
commit 8f190bd8ac87b50b011be0664beb0072c080aebc
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 28 10:17:56 2017 +0100
ofz#3110 GeneratePLCF only generated word6 sized missing entries
BTE was 2 bytes in word 7- but 4 bytes in word 8+
Change-Id: I24007d26fccc5edc104320bd2eb8f9c62399c988
Reviewed-on: https://gerrit.libreoffice.org/41625
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 35c07f69a28c24a8561f86ff82387f11a85d368a)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 8fca0f18825d..bb7670b9d2e0 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2160,7 +2160,7 @@ void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN, sal_Int32 ncpN)
if (!failure)
{
- size_t nSiz = 6 * nIMax + 4;
+ size_t nSiz = (4 + nStru) * nIMax + 4;
size_t nElems = ( nSiz + 3 ) / 4;
pPLCF_PosArray = new sal_Int32[ nElems ]; // Pointer to Pos-array
@@ -2215,7 +2215,7 @@ void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN, sal_Int32 ncpN)
for (sal_Int32 i = 0; i < ncpN; ++i) // construct PNs
{
ShortToSVBT16(static_cast<sal_uInt16>(nPN + i), p);
- p+=2;
+ p += nStru;
}
}
commit 0f39d67622121889fd1e49958639883ed7fed3ae
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 28 10:53:42 2017 +0100
ofz#3121 check bounds better
Change-Id: Ib1eacda7e4cdf1d0238532f4e38059a9c30556ac
Reviewed-on: https://gerrit.libreoffice.org/41628
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit b72dee386ac15a7fd6098503772e606c5f059a20)
diff --git a/filter/source/graphicfilter/icgm/class4.cxx b/filter/source/graphicfilter/icgm/class4.cxx
index 5c052c24fb02..36dad1b6d356 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -186,7 +186,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 );
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[mnParaSize + nSize] = 0;
@@ -224,7 +224,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16(4);
sal_uInt32 nSize = ImplGetUI(1);
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
@@ -242,7 +242,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 );
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource + mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
commit b98fb61c0c8dca320fe679ae21bfa956207c177c
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 28 14:34:16 2017 +0100
ofz#3186: wrong starting offset for JOHAB 0x6D block
Change-Id: I4de6d9d781b2f2313d8fd338b34dcb31434efe91
Reviewed-on: https://gerrit.libreoffice.org/41640
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit 4f982fb4f6ec635f8f900431761a55ab7d5cac2a)
diff --git a/sal/textenc/tcvtkr6.tab b/sal/textenc/tcvtkr6.tab
index de68d624f8b2..d769bac449ee 100644
--- a/sal/textenc/tcvtkr6.tab
+++ b/sal/textenc/tcvtkr6.tab
@@ -1033,7 +1033,7 @@ static ImplUniToDBCSHighTab const aJOHABDBCSHighTab[256] =
{ 0x02, 0xFB, aImplUniToDBCSTab_JOHAB_6A }, /* 0x6A */
{ 0x04, 0xEC, aImplUniToDBCSTab_JOHAB_6B }, /* 0x6B */
{ 0x08, 0xF3, aImplUniToDBCSTab_JOHAB_6C }, /* 0x6C */
- { 0x03, 0xFB, aImplUniToDBCSTab_JOHAB_6D }, /* 0x6D */
+ { 0x0B, 0xFB, aImplUniToDBCSTab_JOHAB_6D }, /* 0x6D */
{ 0x17, 0xFF, aImplUniToDBCSTab_JOHAB_6E }, /* 0x6E */
{ 0x01, 0xFE, aImplUniToDBCSTab_JOHAB_6F }, /* 0x6F */
{ 0x01, 0xFD, aImplUniToDBCSTab_JOHAB_70 }, /* 0x70 */
commit 4e45c6d6d658cd46b428db366ad7b9a6ed7b1633
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Aug 28 12:13:41 2017 +0100
ofz#3154 check bounds of special sprm
Change-Id: I82566e2f2ad479c392f06ae7149e3781c0338e50
ofz: sanity check L_VAR2 record bounds
Change-Id: I862457a7239108974f360a87b4f6ccf433eae364
Reviewed-on: https://gerrit.libreoffice.org/37534
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit 016e4d0e2650b2fb350068d86e8d392a7ef5acb1)
ofz: stay within available data
Change-Id: Ic959cf5b2cd92ba5bc297e686beb1fd50427a994
Reviewed-on: https://gerrit.libreoffice.org/36102
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit fdcac49119d3fc9f6216af834e7afc56d2c2e376)
Reviewed-on: https://gerrit.libreoffice.org/41648
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit f33a136dc6bcb8bc0ed6ddd6c3d38d75e067e6eb)
diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx
index bd1a8ca64cad..2664cdb3971e 100644
--- a/sw/source/filter/ww8/ww8graf.cxx
+++ b/sw/source/filter/ww8/ww8graf.cxx
@@ -617,7 +617,7 @@ void SwWW8ImplReader::InsertAttrsAsDrawingAttrs(long nStartCp, long nEndCp,
// off and convert them later
if (bStartAttr)
{
- ImportSprm(aRes.pMemPos, aRes.nSprmId);
+ ImportSprm(aRes.pMemPos, aRes.nMemLen, aRes.nSprmId);
if (!bDoingSymbol && m_bSymbol)
{
bDoingSymbol = true;
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index c7b117db9ebb..794323d294e0 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -3824,7 +3824,7 @@ long SwWW8ImplReader::ReadTextAttr(WW8_CP& rTextPos, long nTextEnd, bool& rbStar
if( bStartAttr ) // WW attributes
{
if( aRes.nMemLen >= 0 )
- ImportSprm(aRes.pMemPos, aRes.nSprmId);
+ ImportSprm(aRes.pMemPos, aRes.nMemLen, aRes.nSprmId);
}
else
EndSprm( aRes.nSprmId ); // Switch off Attr
@@ -6434,7 +6434,7 @@ bool SwMSDffManager::GetOLEStorageName(long nOLEId, OUString& rStorageName,
while (nLen >= 2 && !nPictureId)
{
sal_uInt16 nId = aSprmParser.GetSprmId(pSprm);
- sal_uInt16 nSL = aSprmParser.GetSprmSize(nId, pSprm);
+ sal_uInt16 nSL = aSprmParser.GetSprmSize(nId, pSprm, nLen);
if( nLen < nSL )
break; // Not enough Bytes left
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 614794bdcf90..424835eb133b 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -1846,7 +1846,7 @@ public: // really private, but can only be done public
void DeleteFormImpl();
- short ImportSprm( const sal_uInt8* pPos, sal_uInt16 nId = 0 );
+ short ImportSprm(const sal_uInt8* pPos, sal_Int32 nMemLen, sal_uInt16 nId = 0);
bool SearchRowEnd(WW8PLCFx_Cp_FKP* pPap,WW8_CP &rStartCp, int nLevel) const;
/// Seek to the end of the table with pPap, returns true on success.
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index f7e77500eee5..81fbe705c5f8 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -3720,7 +3720,7 @@ void WW8RStyle::ImportSprms(sal_uInt8 *pSprms, short nLen, bool bPap)
#ifdef DEBUGSPRMREADER
fprintf(stderr, "id is %x\n", aIter.GetAktId());
#endif
- pIo->ImportSprm(pSprm);
+ pIo->ImportSprm(pSprm, aSprmIter.GetRemLen(), aSprmIter.GetAktId());
aSprmIter.advance();
}
diff --git a/sw/source/filter/ww8/ww8par3.cxx b/sw/source/filter/ww8/ww8par3.cxx
index 497f5445d159..58a27bba8ac1 100644
--- a/sw/source/filter/ww8/ww8par3.cxx
+++ b/sw/source/filter/ww8/ww8par3.cxx
@@ -714,7 +714,7 @@ bool WW8ListManager::ReadLVL(SwNumFormat& rNumFormat, SfxItemSet*& rpItemSet,
maSprmParser);
while (const sal_uInt8* pSprm = aSprmIter.GetSprms())
{
- rReader.ImportSprm(pSprm);
+ rReader.ImportSprm(pSprm, aSprmIter.GetRemLen(), aSprmIter.GetAktId());
aSprmIter.advance();
}
@@ -1908,7 +1908,7 @@ void SwWW8ImplReader::RegisterNumFormatOnTextNode(sal_uInt16 nActLFO,
sal_uInt8* pSprms1 = &aParaSprms[0];
while (0 < nLen)
{
- sal_uInt16 nL1 = ImportSprm(pSprms1);
+ sal_uInt16 nL1 = ImportSprm(pSprms1, nLen);
nLen = nLen - nL1;
pSprms1 += nL1;
}
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index 2ac07caaded5..538ecbf5d806 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -6301,7 +6301,7 @@ void SwWW8ImplReader::EndSprm( sal_uInt16 nId )
(this->*rSprm.pReadFnc)( nId, nullptr, -1 );
}
-short SwWW8ImplReader::ImportSprm(const sal_uInt8* pPos,sal_uInt16 nId)
+short SwWW8ImplReader::ImportSprm(const sal_uInt8* pPos, sal_Int32 nMemLen, sal_uInt16 nId)
{
if (!nId)
nId = m_pSprmParser->GetSprmId(pPos);
@@ -6311,7 +6311,7 @@ short SwWW8ImplReader::ImportSprm(const sal_uInt8* pPos,sal_uInt16 nId)
const SprmReadInfo& rSprm = GetSprmReadInfo(nId);
sal_uInt16 nFixedLen = m_pSprmParser->DistanceToData(nId);
- sal_uInt16 nL = m_pSprmParser->GetSprmSize(nId, pPos);
+ sal_uInt16 nL = m_pSprmParser->GetSprmSize(nId, pPos, nMemLen);
if (rSprm.pReadFnc)
(this->*rSprm.pReadFnc)(nId, pPos + nFixedLen, nL - nFixedLen);
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 39939948d129..8fca0f18825d 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -883,14 +883,14 @@ inline long Get_Long( sal_uInt8 *& p )
return Get_ULong(p);
}
-WW8SprmIter::WW8SprmIter(const sal_uInt8* pSprms_, long nLen_,
+WW8SprmIter::WW8SprmIter(const sal_uInt8* pSprms_, sal_Int32 nLen_,
const wwSprmParser &rParser)
: mrSprmParser(rParser), pSprms( pSprms_), nRemLen( nLen_)
{
UpdateMyMembers();
}
-void WW8SprmIter::SetSprms(const sal_uInt8* pSprms_, long nLen_)
+void WW8SprmIter::SetSprms(const sal_uInt8* pSprms_, sal_Int32 nLen_)
{
pSprms = pSprms_;
nRemLen = nLen_;
@@ -917,7 +917,7 @@ void WW8SprmIter::UpdateMyMembers()
if (bValid)
{
nAktId = mrSprmParser.GetSprmId(pSprms);
- nAktSize = mrSprmParser.GetSprmSize(nAktId, pSprms);
+ nAktSize = mrSprmParser.GetSprmSize(nAktId, pSprms, nRemLen);
pAktParams = pSprms + mrSprmParser.DistanceToData(nAktId);
bValid = nAktSize <= nRemLen;
SAL_WARN_IF(!bValid, "sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
@@ -3524,7 +3524,7 @@ bool WW8PLCFx_SEPX::Find4Sprms(sal_uInt16 nId1,sal_uInt16 nId2,sal_uInt16 nId3,s
bOk = false;
bFound |= bOk;
// increment pointer so that it points to next SPRM
- const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp);
+ const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nSprmSiz - i);
i += x;
pSp += x;
}
@@ -3549,7 +3549,7 @@ const sal_uInt8* WW8PLCFx_SEPX::HasSprm( sal_uInt16 nId, sal_uInt8 n2nd ) const
return pRet;
}
// increment pointer so that it points to next SPRM
- const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp);
+ const sal_uInt16 x = maSprmParser.GetSprmSize(nAktId, pSp, nSprmSiz - i);
i += x;
pSp += x;
}
@@ -4896,7 +4896,7 @@ void WW8PLCFMan::GetSprmStart( short nIdx, WW8PLCFManResult* pRes ) const
else if (p->nSprmsLen >= maSprmParser.MinSprmLen()) //normal
{
// Length of actual sprm
- pRes->nMemLen = maSprmParser.GetSprmSize(pRes->nSprmId, pRes->pMemPos);
+ pRes->nMemLen = maSprmParser.GetSprmSize(pRes->nSprmId, pRes->pMemPos, p->nSprmsLen);
if (pRes->nMemLen > p->nSprmsLen)
{
SAL_WARN("sw.ww8", "Short sprm, len " << pRes->nMemLen << " claimed, max possible is " << p->nSprmsLen);
@@ -5004,7 +5004,7 @@ void WW8PLCFMan::AdvSprm(short nIdx, bool bStart)
if( p->pMemPos )
{
// Length of last sprm
- const sal_uInt16 nSprmL = maSprmParser.GetSprmSize(nLastId, p->pMemPos);
+ const sal_uInt16 nSprmL = maSprmParser.GetSprmSize(nLastId, p->pMemPos, p->nSprmsLen);
// Reduce length of all sprms by length of last sprm
p->nSprmsLen -= nSprmL;
@@ -7894,7 +7894,7 @@ sal_uInt16 WW8DopTypography::GetConvertedLang() const
// Sprms
-sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm)
+sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm, sal_Int32 nRemLen)
const
{
SprmInfo aSprm = GetSprmInfo(nId);
@@ -7909,15 +7909,26 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm)
nL = static_cast< sal_uInt16 >(pSprm[1 + mnDelta] + aSprm.nLen);
else
{
- sal_uInt8 nDel = pSprm[2 + mnDelta];
- sal_uInt8 nIns = pSprm[3 + mnDelta + 4 * nDel];
+ sal_uInt8 nDelIdx = 2 + mnDelta;
+ sal_uInt8 nDel = nDelIdx < nRemLen ? pSprm[nDelIdx] : 0;
+ sal_uInt8 nInsIdx = 3 + mnDelta + 4 * nDel;
+ sal_uInt8 nIns = nInsIdx < nRemLen ? pSprm[nInsIdx] : 0;
nL = 2 + 4 * nDel + 3 * nIns;
}
break;
case 0xD608:
- nL = SVBT16ToShort( &pSprm[1 + mnDelta] );
+ {
+ sal_uInt8 nIndex = 1 + mnDelta;
+ if (nIndex + 1 >= nRemLen)
+ {
+ SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+ nL = 0;
+ }
+ else
+ nL = SVBT16ToShort(&pSprm[nIndex]);
break;
+ }
default:
switch (aSprm.nVari)
{
@@ -7930,10 +7941,21 @@ sal_uInt16 wwSprmParser::GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm)
nL = static_cast< sal_uInt16 >(pSprm[1 + mnDelta] + aSprm.nLen);
break;
case L_VAR2:
+ {
// Variable 2-Byte Length?
// Excl. Token + Var-Lengthbyte
- nL = static_cast< sal_uInt16 >(SVBT16ToShort( &pSprm[1 + mnDelta] ) + aSprm.nLen - 1);
+ sal_uInt8 nIndex = 1 + mnDelta;
+ sal_uInt16 nCount;
+ if (nIndex + 1 >= nRemLen)
+ {
+ SAL_WARN("sw.ww8", "sprm longer than remaining bytes, doc or parser is wrong");
+ nCount = 0;
+ }
+ else
+ nCount = SVBT16ToShort(&pSprm[nIndex]);
+ nL = static_cast< sal_uInt16 >(nCount + aSprm.nLen - 1);
break;
+ }
default:
OSL_ENSURE(false, "Unknown sprm variant");
break;
@@ -7969,9 +7991,9 @@ sal_uInt16 wwSprmParser::GetSprmId(const sal_uInt8* pSp) const
}
// with tokens and length byte
-sal_uInt16 wwSprmParser::GetSprmSize(sal_uInt16 nId, const sal_uInt8* pSprm) const
+sal_uInt16 wwSprmParser::GetSprmSize(sal_uInt16 nId, const sal_uInt8* pSprm, sal_Int32 nRemLen) const
{
- return GetSprmTailLen(nId, pSprm) + 1 + mnDelta + SprmDataOfs(nId);
+ return GetSprmTailLen(nId, pSprm, nRemLen) + 1 + mnDelta + SprmDataOfs(nId);
}
sal_uInt8 wwSprmParser::SprmDataOfs(sal_uInt16 nId) const
@@ -7991,7 +8013,7 @@ sal_uInt8* wwSprmParser::findSprmData(sal_uInt16 nId, sal_uInt8* pSprms,
{
const sal_uInt16 nAktId = GetSprmId(pSprms);
// set pointer to data
- sal_uInt16 nSize = GetSprmSize(nAktId, pSprms);
+ sal_uInt16 nSize = GetSprmSize(nAktId, pSprms, nLen);
bool bValid = nSize <= nLen;
diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
index ff2fc7a7e07b..00ed18c625ce 100644
--- a/sw/source/filter/ww8/ww8scan.hxx
+++ b/sw/source/filter/ww8/ww8scan.hxx
@@ -126,7 +126,7 @@ public:
/// Return the SPRM id at the beginning of this byte sequence
sal_uInt16 GetSprmId(const sal_uInt8* pSp) const;
- sal_uInt16 GetSprmSize(sal_uInt16 nId, const sal_uInt8* pSprm) const;
+ sal_uInt16 GetSprmSize(sal_uInt16 nId, const sal_uInt8* pSprm, sal_Int32 nRemLen) const;
/// Get known len of a sprms head, the bytes of the sprm id + any bytes
/// reserved to hold a variable length
@@ -134,7 +134,7 @@ public:
/// Get len of a sprms data area, ignoring the bytes of the sprm id and
/// ignoring any len bytes. Reports the remaining data after those bytes
- sal_uInt16 GetSprmTailLen(sal_uInt16 nId, const sal_uInt8 * pSprm) const;
+ sal_uInt16 GetSprmTailLen(sal_uInt16 nId, const sal_uInt8* pSprm, sal_Int32 nRemLen) const;
/// The minimum acceptable sprm len possible for this type of parser
int MinSprmLen() const { return (IsSevenMinus(meVersion)) ? 2 : 3; }
@@ -263,20 +263,21 @@ private:
sal_uInt16 nAktId;
sal_uInt16 nAktSize;
- long nRemLen; // length of remaining SPRMs (including akt. SPRM)
+ sal_Int32 nRemLen; // length of remaining SPRMs (including akt. SPRM)
void UpdateMyMembers();
public:
- explicit WW8SprmIter( const sal_uInt8* pSprms_, long nLen_,
+ explicit WW8SprmIter(const sal_uInt8* pSprms_, sal_Int32 nLen_,
const wwSprmParser &rSprmParser);
- void SetSprms( const sal_uInt8* pSprms_, long nLen_ );
+ void SetSprms(const sal_uInt8* pSprms_, sal_Int32 nLen_);
const sal_uInt8* FindSprm(sal_uInt16 nId);
void advance();
const sal_uInt8* GetSprms() const
{ return ( pSprms && (0 < nRemLen) ) ? pSprms : nullptr; }
const sal_uInt8* GetAktParams() const { return pAktParams; }
sal_uInt16 GetAktId() const { return nAktId; }
+ sal_Int32 GetRemLen() const { return nRemLen; }
private:
WW8SprmIter(const WW8SprmIter&) = delete;
commit 83307d3838c47302ff3019a75290a123b2230ad1
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Aug 29 11:43:42 2017 +0100
Resolves: tdf#112017 crash on particular odt
Change-Id: I6ba2e73562a16afecb6abdfe4f1a40b1e316379e
Reviewed-on: https://gerrit.libreoffice.org/41712
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 932a81e9c31a3a5bf5edad3d9e79b111e19b113d)
diff --git a/svx/source/unodraw/unoshape.cxx b/svx/source/unodraw/unoshape.cxx
index 76ae1a58157f..ca6d8e9e027a 100644
--- a/svx/source/unodraw/unoshape.cxx
+++ b/svx/source/unodraw/unoshape.cxx
@@ -3069,7 +3069,8 @@ void SvxShape::setAllPropertiesToDefault() throw (uno::RuntimeException, std::ex
mpObj->SetMergedItem(Svx3DCharacterModeItem(true));
}
- mpModel->SetChanged();
+ if (mpModel)
+ mpModel->SetChanged();
}
void SvxShape::setPropertiesToDefault(
diff --git a/sw/qa/core/data/odt/pass/tdf112017.odt b/sw/qa/core/data/odt/pass/tdf112017.odt
new file mode 100644
index 000000000000..02a24d9db146
Binary files /dev/null and b/sw/qa/core/data/odt/pass/tdf112017.odt differ
commit 4cba4d72532a844893910e349909ba7152c3b966
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Aug 30 09:22:45 2017 +0100
Resolves tdf#112101 crash on particular file with office:event-listeners
Change-Id: I99a007543f90f4024666d296e9a775f8cee15086
Reviewed-on: https://gerrit.libreoffice.org/41725
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit fb8fba4a99e71ba9faa9d93dc126bae80baffdde)
diff --git a/sw/qa/core/data/odt/pass/tdf112101.odt b/sw/qa/core/data/odt/pass/tdf112101.odt
new file mode 100644
index 000000000000..ca29bd732ea4
Binary files /dev/null and b/sw/qa/core/data/odt/pass/tdf112101.odt differ
diff --git a/xmloff/source/text/txtparai.cxx b/xmloff/source/text/txtparai.cxx
index 31f0560192e6..670a206c995a 100644
--- a/xmloff/source/text/txtparai.cxx
+++ b/xmloff/source/text/txtparai.cxx
@@ -427,7 +427,7 @@ XMLImpHyperlinkContext_Impl::XMLImpHyperlinkContext_Impl(
XMLImpHyperlinkContext_Impl::~XMLImpHyperlinkContext_Impl()
{
- if( mpHint != nullptr )
+ if (mpHint)
mpHint->SetEnd( GetImport().GetTextImport()
->GetCursorAsRange()->getStart() );
}
@@ -441,7 +441,8 @@ SvXMLImportContext *XMLImpHyperlinkContext_Impl::CreateChildContext(
{
XMLEventsImportContext* pCtxt = new XMLEventsImportContext(
GetImport(), nPrefix, rLocalName);
- mpHint->SetEventsContext(pCtxt);
+ if (mpHint)
+ mpHint->SetEventsContext(pCtxt);
return pCtxt;
}
else
commit fd362605c51da4b99923cd3d1dff78dc6dca0222
Author: Michael Stahl <mstahl at redhat.com>
Date: Wed Sep 6 23:18:23 2017 +0200
tdf#112163 sw: avoid crashing in layout on this document
SwTextFrame 0x5dfb7a0 is join locked so doesn't GetFormatted() so
doesn't have a SwTextLineAccess created; add some defensive programming
just to make it not crash.
Whether this is the right fix or just a workaround for something going
wrong in the 179 layout stack frames is beyond my meager knowledge.
In case anybody has an obvious idea, the layout frames that are
currently being formatted (SwTextFrame or SwTabFrame) are:
#3 0x5dfb7a0 is master of 0x5e56330
#4 0x5e56330
#10 0x5e5f3f0 is follow of 0x5e56330
#19 0x5e60d30 SwTabFrame::Split
#30 0x5e56330
#44 0x5dfb7a0
#53 0x2cefae0 master of 0x5dfb7a0
#57 0x63d1440 SwTabFrame::MakeAll is follow of #58
#58 0x5e106c0 SwTabFrame::MakeAll
#68 0x5e812d0
#77 0x5e11f80 is master of #68
#86 0x2cef600 is master of #77
#90 0x5f86c00 SwTabFrame::MakeAll
#91 0x63d0150 SwTabFrame::MakeAll
#98 SwFlowFrame::MoveFwd
#101 0x63cf3d0
#110 0x5e05ff0 is master of #101
#119 0x5e0c700 is master of #110
#128 0x5bd0ad0 is master of #119
#136 0x5f8b800 is master of #128
#145 0x86b29a0 is master of #136
#154 0x2c37340 is master of #145
#158 0x5e04ab0 SwTabFrame::MakeAll
#168 0x2c371a0
#173 0x5e16340 SwTabFrame::MakeAll
Change-Id: I716b5faec1512cbf1fbdb04a436da302bd628c51
(cherry picked from commit 6c8c51231e7415ecc20d1343211acf8382666613)
Reviewed-on: https://gerrit.libreoffice.org/42041
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
(cherry picked from commit b8e84ac201f5611635177f8404c28f7fa8d0c806)
diff --git a/sw/source/core/text/frmform.cxx b/sw/source/core/text/frmform.cxx
index 5dd45a76e4c8..2e0615f7ee53 100644
--- a/sw/source/core/text/frmform.cxx
+++ b/sw/source/core/text/frmform.cxx
@@ -1395,10 +1395,17 @@ void SwTextFrame::Format_( SwTextFormatter &rLine, SwTextFormatInfo &rInf,
{
if( !pMaster->HasPara() )
pMaster->GetFormatted();
- SwTextSizeInfo aInf( pMaster );
- SwTextIter aMasterLine( pMaster, &aInf );
- aMasterLine.Bottom();
- pLine = aMasterLine.GetCurr();
+ if (!pMaster->HasPara())
+ { // master could be locked because it's being formatted upstack
+ SAL_WARN("sw", "SwTextFrame::Format_: failed to format master!");
+ }
+ else
+ {
+ SwTextSizeInfo aInf( pMaster );
+ SwTextIter aMasterLine( pMaster, &aInf );
+ aMasterLine.Bottom();
+ pLine = aMasterLine.GetCurr();
+ }
}
SwLinePortion* pRest = pLine ?
rLine.MakeRestPortion(pLine, GetOfst()) : nullptr;
commit 06a425af0d08961a7f06cb2b8d3f2433afdb8bd1
Author: Eike Rathke <erack at redhat.com>
Date: Thu Sep 14 14:30:08 2017 +0200
ofz#3362 SYLK import: check ;X;Y;C;R col/row validity early
Change-Id: I37d5ce67f975b6b89c4b8a9baefae2467da2eb84
(cherry picked from commit 34ac0f9a0376b43bcff78a49ccaf4caa34c8c990)
Reviewed-on: https://gerrit.libreoffice.org/42278
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit c759f30a5220dfd29894e34ee16c3fe2bf415592)
diff --git a/sc/source/ui/docshell/impex.cxx b/sc/source/ui/docshell/impex.cxx
index 004ed8106507..a65f985541e6 100644
--- a/sc/source/ui/docshell/impex.cxx
+++ b/sc/source/ui/docshell/impex.cxx
@@ -1776,15 +1776,35 @@ bool ScImportExport::Sylk2Doc( SvStream& rStrm )
{
case 'X':
nCol = static_cast<SCCOL>(OUString(p).toInt32()) + nStartCol - 1;
+ if (nCol < 0 || MAXCOL < nCol)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;X invalid nCol=" << nCol);
+ nCol = std::max<SCCOL>( 0, std::min<SCCOL>( nCol, MAXCOL));
+ }
break;
case 'Y':
nRow = OUString(p).toInt32() + nStartRow - 1;
+ if (nRow < 0 || MAXROW < nRow)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;Y invalid nRow=" << nRow);
+ nRow = std::max<SCROW>( 0, std::min<SCROW>( nRow, MAXROW));
+ }
break;
case 'C':
nRefCol = static_cast<SCCOL>(OUString(p).toInt32()) + nStartCol - 1;
+ if (nRefCol < 0 || MAXCOL < nRefCol)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;C invalid nRefCol=" << nRefCol);
+ nRefCol = std::max<SCCOL>( 0, std::min<SCCOL>( nRefCol, MAXCOL));
+ }
break;
case 'R':
nRefRow = OUString(p).toInt32() + nStartRow - 1;
+ if (nRefRow < 0 || MAXROW < nRefRow)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;R invalid nRefRow=" << nRefRow);
+ nRefRow = std::max<SCROW>( 0, std::min<SCROW>( nRefRow, MAXROW));
+ }
break;
case 'K':
{
commit aaf15aa464ab3e587b4445637f27aa7b5f48f105
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Sep 18 15:40:16 2017 +0100
ofz#3412 SYLK import: check ;X;Y;C;R col/row validity early
Change-Id: I91fcd2571e528201e01467f3bcdbbff30cdfb50c
Reviewed-on: https://gerrit.libreoffice.org/42426
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Eike Rathke <erack at redhat.com>
(cherry picked from commit 51854f5432de42bcc1154469edb5395328870613)
diff --git a/sc/source/ui/docshell/impex.cxx b/sc/source/ui/docshell/impex.cxx
index 0f0db15d30dc..004ed8106507 100644
--- a/sc/source/ui/docshell/impex.cxx
+++ b/sc/source/ui/docshell/impex.cxx
@@ -1897,9 +1897,19 @@ bool ScImportExport::Sylk2Doc( SvStream& rStrm )
{
case 'X':
nCol = static_cast<SCCOL>(OUString(p).toInt32()) + nStartCol - 1;
+ if (nCol < 0 || MAXCOL < nCol)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;X invalid nCol=" << nCol);
+ nCol = std::max<SCCOL>( 0, std::min<SCCOL>( nCol, MAXCOL));
+ }
break;
case 'Y':
nRow = OUString(p).toInt32() + nStartRow - 1;
+ if (nRow < 0 || MAXROW < nRow)
+ {
+ SAL_WARN("sc.ui","ScImportExport::Sylk2Doc - ;Y invalid nRow=" << nRow);
+ nRow = std::max<SCROW>( 0, std::min<SCROW>( nRow, MAXROW));
+ }
break;
case 'P' :
if ( bData )
commit fbd741df28aec4f90313d813192d255692668294
Author: Michael Stahl <mstahl at redhat.com>
Date: Fri Sep 15 13:51:04 2017 +0200
ofz#3301 sw: DeleteAndJoin found yet another way to delete new redline
Not only can that happen in CompressRedlines(), it can also happen
in the SwComparePosition::Outside case when the DeleteRedline()
decides in particular circumstances to split up the inserted
new redline.
Arguably it's wrong to split up the new redline in this case;
not sure if that ever happens in a legitimate use case though.
Avoid this by removing the hack to temporarily insert the new redline
and instead create a temporary SwUnoCursor that will be corrected
on behalf of the new redline, while the new redline is parked on a
safe node.
This not only avoids the crash on this file but also makes the
"corrupted redline table" assertions go away.
Change-Id: I478f4cfc53a19d2cf2f0937f631962f80b1815ff
Reviewed-on: https://gerrit.libreoffice.org/42408
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit a562be54f3127f4e22a3a38e62db2b38d48499f3)
diff --git a/sw/source/core/doc/DocumentRedlineManager.cxx b/sw/source/core/doc/DocumentRedlineManager.cxx
index f3009808a234..a9fcfb984091 100644
--- a/sw/source/core/doc/DocumentRedlineManager.cxx
+++ b/sw/source/core/doc/DocumentRedlineManager.cxx
@@ -27,6 +27,7 @@
#include <docary.hxx>
#include <ndtxt.hxx>
#include <comcore.hrc>
+#include <unocrsr.hxx>
#include <swmodule.hxx>
#include <editsh.hxx>
#include <vcl/layout.hxx>
@@ -575,6 +576,32 @@ namespace
}
}
}
+
+ /// in case some text is deleted, ensure that the not-yet-inserted
+ /// SwRangeRedline has its positions corrected not to point to deleted node
+ class TemporaryRedlineUpdater
+ {
+ private:
+ SwRangeRedline & m_rRedline;
+ std::shared_ptr<SwUnoCursor> m_pCursor;
+ public:
+ TemporaryRedlineUpdater(SwDoc & rDoc, SwRangeRedline & rRedline)
+ : m_rRedline(rRedline)
+ , m_pCursor(rDoc.CreateUnoCursor(*rRedline.GetPoint(), false))
+ {
+ if (m_rRedline.HasMark())
+ {
+ m_pCursor->SetMark();
+ *m_pCursor->GetMark() = *m_rRedline.GetMark();
+ *m_rRedline.GetMark() = SwPosition(rDoc.GetNodes().GetEndOfContent());
+ }
+ *m_rRedline.GetPoint() = SwPosition(rDoc.GetNodes().GetEndOfContent());
+ }
+ ~TemporaryRedlineUpdater()
+ {
+ static_cast<SwPaM&>(m_rRedline) = *m_pCursor;
+ }
+ };
}
namespace sw
@@ -1223,19 +1250,11 @@ bool DocumentRedlineManager::AppendRedline( SwRangeRedline* pNewRedl, bool bCall
{
mpRedlineTable->Remove( n );
bDec = true;
- // We insert temporarily so that pNew is
- // also dealt with when moving the indices.
if( bCallDelete )
{
- ::comphelper::FlagGuard g(m_isForbidCompressRedlines);
- mpRedlineTable->Insert( pNewRedl );
+ TemporaryRedlineUpdater const u(m_rDoc, *pNewRedl);
m_rDoc.getIDocumentContentOperations().DeleteAndJoin( *pRedl );
- if( !mpRedlineTable->Remove( pNewRedl ) )
- {
- assert(false); // can't happen
- pNewRedl = nullptr;
- }
- bCompress = true; // delayed compress
+ n = 0; // re-initialize
}
delete pRedl;
}
@@ -1257,17 +1276,8 @@ bool DocumentRedlineManager::AppendRedline( SwRangeRedline* pNewRedl, bool bCall
if( bCallDelete )
{
- // We insert temporarily so that pNew is
- // also dealt with when moving the indices.
- ::comphelper::FlagGuard g(m_isForbidCompressRedlines);
- mpRedlineTable->Insert( pNewRedl );
+ TemporaryRedlineUpdater const u(m_rDoc, *pNewRedl);
m_rDoc.getIDocumentContentOperations().DeleteAndJoin( aPam );
- if( !mpRedlineTable->Remove( pNewRedl ) )
- {
- assert(false); // can't happen
- pNewRedl = nullptr;
- }
- bCompress = true; // delayed compress
n = 0; // re-initialize
}
bDec = true;
@@ -1288,17 +1298,8 @@ bool DocumentRedlineManager::AppendRedline( SwRangeRedline* pNewRedl, bool bCall
if( bCallDelete )
{
- // We insert temporarily so that pNew is
- // also dealt with when moving the indices.
- ::comphelper::FlagGuard g(m_isForbidCompressRedlines);
- mpRedlineTable->Insert( pNewRedl );
+ TemporaryRedlineUpdater const u(m_rDoc, *pNewRedl);
m_rDoc.getIDocumentContentOperations().DeleteAndJoin( aPam );
- if( !mpRedlineTable->Remove( pNewRedl ) )
- {
- assert(false); // can't happen
- pNewRedl = nullptr;
- }
- bCompress = true; // delayed compress
n = 0; // re-initialize
bDec = true;
}
@@ -1793,11 +1794,6 @@ bool DocumentRedlineManager::AppendTableCellRedline( SwTableCellRedline* pNewRed
void DocumentRedlineManager::CompressRedlines()
{
- if (m_isForbidCompressRedlines)
- {
- return;
- }
-
CHECK_REDLINE( *this )
void (SwRangeRedline::*pFnc)(sal_uInt16, size_t) = nullptr;
diff --git a/sw/source/core/inc/DocumentRedlineManager.hxx b/sw/source/core/inc/DocumentRedlineManager.hxx
index 999cbd7137ce..bdcd45c5fc67 100644
--- a/sw/source/core/inc/DocumentRedlineManager.hxx
+++ b/sw/source/core/inc/DocumentRedlineManager.hxx
@@ -137,7 +137,6 @@ private:
sal_uInt16 mnAutoFormatRedlnCommentNo; /**< SeqNo for conjoining of AutoFormat-Redlines.
by the UI. Managed by SwAutoFormat! */
css::uno::Sequence <sal_Int8 > maRedlinePasswd;
- bool m_isForbidCompressRedlines = false;
};
}
commit fb6328b2149d066847fdd65034c5612ca2c0d1da
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Sep 5 13:06:20 2017 +0100
Resolves: tdf#112180: avoid crash with specific ttf
Change-Id: I8cde147279173bffec0c991eb7676f5d4641138d
Reviewed-on: https://gerrit.libreoffice.org/41935
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit f263692de96ac68e73eeb953b7e92a18d149f30e)
Reviewed-on: https://gerrit.libreoffice.org/42507
(cherry picked from commit 70f8b4b9b0330b9150c5d6c3f066834f20023578)
diff --git a/vcl/win/gdi/salfont.cxx b/vcl/win/gdi/salfont.cxx
index 4d3d5d561a34..32fb4a79e21a 100644
--- a/vcl/win/gdi/salfont.cxx
+++ b/vcl/win/gdi/salfont.cxx
@@ -90,9 +90,9 @@ RawFontData::RawFontData( HDC hDC, DWORD nTableTag )
{
// get required size in bytes
mnByteCount = ::GetFontData( hDC, nTableTag, 0, nullptr, 0 );
- if( mnByteCount == GDI_ERROR )
- return;
- else if( !mnByteCount )
+ if (mnByteCount == GDI_ERROR)
+ mnByteCount = 0;
+ if (!mnByteCount)
return;
// allocate the array
commit 32b5f2405656dcc20486627fad6d591471dbc7c2
Author: Caolán McNamara <caolanm at redhat.com>
Date: Fri Sep 22 09:37:43 2017 +0100
ofz#3457 Unknown Read
similar to
commit 35bac83ed2b5d48233c653cc7dc4eab5c234f7ac
Date: Mon Aug 7 19:24:37 2017 +0100
ofz#2877: crash in SVTB16Short
Change-Id: Idc2ca89647a5e17484effaca49afce349b98f0a3
Reviewed-on: https://gerrit.libreoffice.org/42624
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 46882bb61b1381dd257cd96a255ed71f7af03166)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 6cd9a086924d..39939948d129 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3537,8 +3537,7 @@ const sal_uInt8* WW8PLCFx_SEPX::HasSprm( sal_uInt16 nId, sal_uInt8 n2nd ) const
return nullptr;
sal_uInt8* pSp = pSprms;
-
- sal_uInt16 i=0;
+ size_t i = 0;
while (i + maSprmParser.MinSprmLen() <= nSprmSiz)
{
// Sprm found?
commit 61f02f71447634be87a3580090a838073b4f6ead
Author: Szymon Kłos <szymon.klos at collabora.com>
Date: Wed Oct 4 20:53:27 2017 +0200
tdf#112634 avoid crash
Change-Id: If4b8b24908eecc8267d7b74810f5afe4b1f79e4d
Reviewed-on: https://gerrit.libreoffice.org/43139
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Szymon Kłos <szymon.klos at collabora.com>
(cherry picked from commit 75a881829f19439245cdb859fc16d59461992f79)
Reviewed-on: https://gerrit.libreoffice.org/43153
Reviewed-by: Andras Timar <andras.timar at collabora.com>
Tested-by: Andras Timar <andras.timar at collabora.com>
diff --git a/sw/source/uibase/dbui/dbtree.cxx b/sw/source/uibase/dbui/dbtree.cxx
index 0b2712510793..7280c210ca0a 100644
--- a/sw/source/uibase/dbui/dbtree.cxx
+++ b/sw/source/uibase/dbui/dbtree.cxx
@@ -190,7 +190,11 @@ void SwDBTreeList::InitTreeList()
for(long i = 0; i < nCount; i++)
{
OUString sDBName(pDBNames[i]);
- InsertEntry(sDBName, aImg, aImg, nullptr, true);
+ Reference<XConnection> xConnection = pImpl->GetConnection(sDBName);
+ if (xConnection.is())
+ {
+ InsertEntry(sDBName, aImg, aImg, nullptr, true);
+ }
}
OUString sDBName(sDefDBName.getToken(0, DB_DELIM));
OUString sTableName(sDefDBName.getToken(1, DB_DELIM));
commit 35a9e9ad4f9be3f04287bab8553ce6bebd5ce213
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Oct 2 09:24:19 2017 +0100
ofz#3527 ofz#3532 Invalid read of size 8
use numrule name to look up numrule instead of cached numrule pointer
in case it was deleted on failure to apply the numrule over an invalid range
Invalid read of size 8
at 0x1E875132: rtl::OUString::OUString(rtl::OUString const&) (ustring.hxx:143)
by 0x1EB33D93: SwWW8ImplReader::StartAnl(unsigned char const*) (ww8par2.cxx:1094)
by 0x1EB33003: SwWW8ImplReader::Read_ANLevelNo(unsigned short, unsigned char const*, short) (ww8par2.cxx:910)
by 0x1EBA375D: SwWW8ImplReader::ImportSprm(unsigned char const*, int, unsigned short) (ww8par6.cxx:6337)
by 0x1EAEEA24: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3810)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219)
Address 0x31831158 is 200 bytes inside a block of size 248 free'd
at 0x4C2F21A: operator delete(void*) (vg_replace_malloc.c:576)
by 0x253BC1B5: SwDoc::DelNumRule(rtl::OUString const&, bool) (docnum.cxx:1033)
by 0x25CB943D: SwFltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (fltshell.cxx:609)
by 0x1EAE5011: SwWW8FltControlStack::SetAttrInDoc(SwPosition const&, SwFltStackEntry&) (ww8par.cxx:1445)
by 0x25CB8A9E: SwFltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (fltshell.cxx:457)
by 0x1EAE420E: SwWW8FltControlStack::SetAttr(SwPosition const&, unsigned short, bool, long, bool) (ww8par.cxx:1185)
by 0x1EAE5C12: SwWW8ImplReader::Read_Tab(unsigned short, unsigned char const*, short) (ww8par.cxx:1625)
by 0x1EBA35F0: SwWW8ImplReader::EndSprm(unsigned short) (ww8par6.cxx:6321)
by 0x1EAEEA44: SwWW8ImplReader::ReadTextAttr(int&, long, bool&) (ww8par.cxx:3813)
by 0x1EAEF15A: SwWW8ImplReader::ReadAttrs(int&, int&, long, bool&) (ww8par.cxx:3921)
by 0x1EAEF6E0: SwWW8ImplReader::ReadText(int, int, ManTypes) (ww8par.cxx:4003)
by 0x1EAF6DCE: SwWW8ImplReader::CoreLoad(WW8Glossary const*) (ww8par.cxx:5219)
Change-Id: Ia7ab67e42fc7a162d8089722e77841285f72a671
Reviewed-on: https://gerrit.libreoffice.org/43030
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 8580472270972733cda7fa6ecf23db73359d30bb)
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index ffded52c2025..614794bdcf90 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -973,11 +973,10 @@ struct ApoTestResults
struct ANLDRuleMap
{
- SwNumRule* mpOutlineNumRule; // WinWord 6 numbering, variant 1
- SwNumRule* mpNumberingNumRule; // WinWord 6 numbering, variant 2
- SwNumRule* GetNumRule(sal_uInt8 nNumType);
+ OUString msOutlineNumRule; // WinWord 6 numbering, variant 1
+ OUString msNumberingNumRule; // WinWord 6 numbering, variant 2
+ SwNumRule* GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType);
void SetNumRule(SwNumRule*, sal_uInt8 nNumType);
- ANLDRuleMap() : mpOutlineNumRule(nullptr), mpNumberingNumRule(nullptr) {}
};
struct SprmReadInfo;
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 5d5d0c464f9a..f7e77500eee5 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -1018,17 +1018,21 @@ WW8LvlType GetNumType(sal_uInt8 nWwLevelNo)
return nRet;
}
-SwNumRule *ANLDRuleMap::GetNumRule(sal_uInt8 nNumType)
+SwNumRule *ANLDRuleMap::GetNumRule(SwDoc& rDoc, sal_uInt8 nNumType)
{
- return (WW8_Numbering == nNumType ? mpNumberingNumRule : mpOutlineNumRule);
+ const OUString& rNumRule = WW8_Numbering == nNumType ? msNumberingNumRule : msOutlineNumRule;
+ if (rNumRule.isEmpty())
+ return nullptr;
+ return rDoc.FindNumRulePtr(rNumRule);
}
void ANLDRuleMap::SetNumRule(SwNumRule *pRule, sal_uInt8 nNumType)
{
+ OUString sNumRule = pRule ? pRule->GetName() : OUString();
if (WW8_Numbering == nNumType)
- mpNumberingNumRule = pRule;
+ msNumberingNumRule = sNumRule;
else
- mpOutlineNumRule = pRule;
+ msOutlineNumRule = sNumRule;
}
// StartAnl is called at the beginning of a row area that contains
@@ -1042,7 +1046,7 @@ void SwWW8ImplReader::StartAnl(const sal_uInt8* pSprm13)
return;
m_nWwNumType = nT;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// check for COL numbering:
const sal_uInt8* pS12 = nullptr;// sprmAnld
@@ -1110,7 +1114,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
if (!m_bAnl)
return;
- SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_nWwNumType);
+ SwNumRule *pNumRule = m_aANLDRules.GetNumRule(m_rDoc, m_nWwNumType);
// pNd->UpdateNum ohne Regelwerk gibt GPF spaetestens beim Speichern als
// sdw3
@@ -1119,7 +1123,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
if (*pSprm13 == 10 || *pSprm13 == 11)
{
m_nSwNumLevel = 0;
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
// not defined yet
// sprmAnld o. 0
@@ -1131,7 +1135,7 @@ void SwWW8ImplReader::NextAnlLine(const sal_uInt8* pSprm13)
{
m_nSwNumLevel = *pSprm13 - 1; // outline
// undefined
- if (!pNumRule->GetNumFormat(m_nSwNumLevel))
+ if (pNumRule && !pNumRule->GetNumFormat(m_nSwNumLevel))
{
if (m_pNumOlst) // there was a OLST
{
@@ -1184,7 +1188,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
else
m_pCtrlStck->SetAttr(*m_pPaM->GetPoint(), RES_FLTR_NUMRULE);
- m_aANLDRules.mpNumberingNumRule = nullptr;
+ m_aANLDRules.msNumberingNumRule.clear();
/*
#i18816#
my take on this problem is that moving either way from an outline to a
@@ -1194,7 +1198,7 @@ void SwWW8ImplReader::StopAnlToRestart(sal_uInt8 nNewType, bool bGoBack)
(((m_nWwNumType == WW8_Outline) && (nNewType == WW8_Numbering)) ||
((m_nWwNumType == WW8_Numbering) && (nNewType == WW8_Outline)));
if (!bNumberingNotStopOutline)
- m_aANLDRules.mpOutlineNumRule = nullptr;
+ m_aANLDRules.msOutlineNumRule.clear();
m_nSwNumLevel = 0xff;
m_nWwNumType = WW8_None;
commit be42013c883e8f9e68fa95f4befd182f2956492b
Author: Aron Budea <aron.budea at collabora.com>
Date: Tue Oct 31 13:15:34 2017 +0100
tdf#113548: another case of crash in GrabFocus during dispose
Change-Id: I70776b80f70985a122e28854177c6d0c43839d65
Reviewed-on: https://gerrit.libreoffice.org/44113
Reviewed-by: Aron Budea <aron.budea at collabora.com>
Tested-by: Aron Budea <aron.budea at collabora.com>
(cherry picked from commit a83a0345e493b928b0b0b93bf106ddb71df69893)
Reviewed-on: https://gerrit.libreoffice.org/44136
Reviewed-by: Andras Timar <andras.timar at collabora.com>
Tested-by: Andras Timar <andras.timar at collabora.com>
diff --git a/sw/source/uibase/docvw/srcedtw.cxx b/sw/source/uibase/docvw/srcedtw.cxx
index 1e7da99e0b69..3aa380234d7f 100644
--- a/sw/source/uibase/docvw/srcedtw.cxx
+++ b/sw/source/uibase/docvw/srcedtw.cxx
@@ -794,7 +794,8 @@ void SwSrcEditWindow::HandleWheelCommand( const CommandEvent& rCEvt )
void SwSrcEditWindow::GetFocus()
{
- m_pOutWin->GrabFocus();
+ if (m_pOutWin)
+ m_pOutWin->GrabFocus();
}
static bool lcl_GetLanguagesForEncoding(rtl_TextEncoding eEnc, LanguageType aLanguages[])
commit 1907dee4ac82c7ca7109fd9915ff04ab8f681816
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Oct 16 14:23:22 2017 +0100
ofz: returning SfxPoolItem belonging to local
Change-Id: Ib9760efb1231ef057dfd62d06095c15e3bf73a87
Reviewed-on: https://gerrit.libreoffice.org/43426
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
(cherry picked from commit a2ca21fada002b895202abd2cbb4997b112627f8)
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index fcd6b63238b1..c7b117db9ebb 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -1558,9 +1558,9 @@ const SfxPoolItem* SwWW8FltControlStack::GetFormatAttr(const SwPosition& rPos,
if (pNd->IsTextNode())
{
const sal_Int32 nPos = rPos.nContent.GetIndex();
- SfxItemSet aSet(pDoc->GetAttrPool(), nWhich, nWhich);
- if (pNd->GetTextNode()->GetAttr(aSet, nPos, nPos))
- pItem = aSet.GetItem(nWhich);
+ m_xScratchSet.reset(new SfxItemSet(pDoc->GetAttrPool(), nWhich, nWhich));
+ if (pNd->GetTextNode()->GetAttr(*m_xScratchSet, nPos, nPos))
+ pItem = m_xScratchSet->GetItem(nWhich);
}
if (!pItem)
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index e117ee980422..ffded52c2025 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -357,6 +357,7 @@ class SwWW8FltControlStack : public SwFltControlStack
{
private:
SwWW8ImplReader& rReader;
+ std::unique_ptr<SfxItemSet> m_xScratchSet;
sal_uInt16 nToggleAttrFlags;
sal_uInt16 nToggleBiDiAttrFlags;
SwWW8FltControlStack(const SwWW8FltControlStack&) = delete;
commit 4a2f0a981c537415107b81415f8312a06705dabd
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Oct 24 11:28:47 2017 +0100
ofz#3759 check for valid starting dash index
Change-Id: I09e117e14eda2565c9b25d407cc4328d4f2ee97a
Reviewed-on: https://gerrit.libreoffice.org/43802
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 2851316853b6c9106d9dc89a8ea4c3ca42eab01e)
diff --git a/filter/source/graphicfilter/idxf/dxftblrd.cxx b/filter/source/graphicfilter/idxf/dxftblrd.cxx
index 1d2f8b483428..a7b968de6db3 100644
--- a/filter/source/graphicfilter/idxf/dxftblrd.cxx
+++ b/filter/source/graphicfilter/idxf/dxftblrd.cxx
@@ -68,9 +68,14 @@ void DXFLType::Read(DXFGroupReader & rDGR)
rDGR.SetError();
return;
}
- if (nDashIndex<nDashCount)
+ if (nDashIndex < nDashCount)
{
- fDash[nDashIndex++]=rDGR.GetF();
+ if (nDashIndex < 0)
+ {
+ rDGR.SetError();
+ return;
+ }
+ fDash[nDashIndex++] = rDGR.GetF();
}
break;
}
commit d8de13a34bcf934841dc042aa9d8968567f465e3
Author: Caolán McNamara <caolanm at redhat.com>
Date: Mon Nov 6 09:55:42 2017 +0000
ofz#4076 bad palette READ
Change-Id: I54943d96baa6e2309bbf2cd3b6d8bcada2b76952
Reviewed-on: https://gerrit.libreoffice.org/44353
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
(cherry picked from commit 4428c662765464e7f461101887f0141fde4ba4ef)
diff --git a/vcl/source/gdi/pngread.cxx b/vcl/source/gdi/pngread.cxx
index 6ea5a613d840..6bf4e7fedc65 100644
--- a/vcl/source/gdi/pngread.cxx
+++ b/vcl/source/gdi/pngread.cxx
@@ -125,6 +125,7 @@ private:
bool mbGrayScale : 1;
bool mbzCodecInUse : 1;
bool mbStatus : 1;
+ bool mbIDATStarted : 1; // true if IDAT seen
bool mbIDAT : 1; // true if finished with enough IDAT chunks
bool mbGamma : 1; // true if Gamma Correction available
bool mbpHYs : 1; // true if physical size of pixel available
@@ -205,6 +206,7 @@ PNGReaderImpl::PNGReaderImpl( SvStream& rPNGStream )
mbGrayScale( false ),
mbzCodecInUse ( false ),
mbStatus( true ),
+ mbIDATStarted( false ),
mbIDAT( false ),
mbGamma ( false ),
mbpHYs ( false ),
@@ -363,7 +365,7 @@ BitmapEx PNGReaderImpl::GetBitmapEx( const Size& rPreviewSizeHint )
case PNGCHUNK_PLTE :
{
- if ( !mbPalette )
+ if (!mbPalette && !mbIDATStarted)
mbStatus = ImplReadPalette();
}
break;
@@ -482,7 +484,7 @@ bool PNGReaderImpl::ImplReadHeader( const Size& rPreviewSizeHint )
}
mbPalette = true;
- mbIDAT = mbAlphaChannel = mbTransparent = false;
+ mbIDATStarted = mbIDAT = mbAlphaChannel = mbTransparent = false;
mbGrayScale = mbRGBTriple = false;
mnTargetDepth = mnPngDepth;
sal_uInt64 nScansize64 = ( ( static_cast< sal_uInt64 >( maOrigSize.Width() ) * mnPngDepth ) + 7 ) >> 3;
@@ -886,6 +888,8 @@ void PNGReaderImpl::ImplReadIDAT()
{
if( mnChunkLen > 0 )
{
+ mbIDATStarted = true;
+
if ( !mbzCodecInUse )
{
mbzCodecInUse = true;
commit 3c3c38fa0150ec6c56f0de3bae7c97864ec62c30
Author: Caolán McNamara <caolanm at redhat.com>
Date: Tue Nov 7 09:13:06 2017 +0000
ofz#4066 Bad-cast
and a cluster of others around here. This pRedl has been deleted at this point.
This doesn't matter for most users, seeing as !LibreOfficeKit::isActive() is
the usual case so the deleted pRedl isn't fully accesssed.
Because the deleted pRedl won't be found in GetRedlineTable when deleted,
rework this a little to avoid the problem.
Reviewed-on: https://gerrit.libreoffice.org/44392
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit f0074dd8c6e0040d7f331ba4a42ea6193c0eac99)
Change-Id: I5c2f405cdae0b0c804ee7452629a14206516962d
diff --git a/sw/inc/redline.hxx b/sw/inc/redline.hxx
index f31be5704738..dae29e6e7e7f 100644
--- a/sw/inc/redline.hxx
+++ b/sw/inc/redline.hxx
@@ -271,9 +271,10 @@ public:
bool operator<( const SwRangeRedline& ) const;
void dumpAsXml(struct _xmlTextWriter* pWriter) const;
- void MaybeNotifyModification();
};
+SW_DLLPUBLIC void MaybeNotifyRedlineModification(SwRangeRedline* pRedline, SwDoc* pDoc);
+
/// Base object for 'Redlines' that are not of 'Ranged' type (like table row insert\delete)
class SW_DLLPUBLIC SwExtraRedline
{
diff --git a/sw/source/core/doc/DocumentRedlineManager.cxx b/sw/source/core/doc/DocumentRedlineManager.cxx
index f2d51192759d..f3009808a234 100644
--- a/sw/source/core/doc/DocumentRedlineManager.cxx
+++ b/sw/source/core/doc/DocumentRedlineManager.cxx
@@ -1216,7 +1216,7 @@ bool DocumentRedlineManager::AppendRedline( SwRangeRedline* pNewRedl, bool bCall
delete pNewRedl;
pNewRedl = nullptr;
if (eCmpPos == POS_INSIDE)
- pRedl->MaybeNotifyModification();
+ MaybeNotifyRedlineModification(pRedl, &m_rDoc);
break;
case POS_OUTSIDE:
diff --git a/sw/source/core/doc/docredln.cxx b/sw/source/core/doc/docredln.cxx
index 9a4f4a583cb2..d30ebdb1cf1f 100644
--- a/sw/source/core/doc/docredln.cxx
+++ b/sw/source/core/doc/docredln.cxx
@@ -1043,17 +1043,17 @@ SwRangeRedline::~SwRangeRedline()
delete pRedlineData;
}
-void SwRangeRedline::MaybeNotifyModification()
+void MaybeNotifyRedlineModification(SwRangeRedline* pRedline, SwDoc* pDoc)
{
if (!comphelper::LibreOfficeKit::isActive())
return;
- const SwRedlineTable& rRedTable = GetDoc()->getIDocumentRedlineAccess().GetRedlineTable();
+ const SwRedlineTable& rRedTable = pDoc->getIDocumentRedlineAccess().GetRedlineTable();
for (SwRedlineTable::size_type i = 0; i < rRedTable.size(); ++i)
{
- if (rRedTable[i] == this)
+ if (rRedTable[i] == pRedline)
{
- SwRedlineTable::LOKRedlineNotification(RedlineNotification::Modify, this);
+ SwRedlineTable::LOKRedlineNotification(RedlineNotification::Modify, pRedline);
break;
}
}
@@ -1064,7 +1064,7 @@ void SwRangeRedline::SetStart( const SwPosition& rPos, SwPosition* pSttPtr )
if( !pSttPtr ) pSttPtr = Start();
*pSttPtr = rPos;
- MaybeNotifyModification();
+ MaybeNotifyRedlineModification(this, GetDoc());
}
void SwRangeRedline::SetEnd( const SwPosition& rPos, SwPosition* pEndPtr )
@@ -1072,7 +1072,7 @@ void SwRangeRedline::SetEnd( const SwPosition& rPos, SwPosition* pEndPtr )
if( !pEndPtr ) pEndPtr = End();
*pEndPtr = rPos;
- MaybeNotifyModification();
+ MaybeNotifyRedlineModification(this, GetDoc());
}
/// Do we have a valid Selection?
diff --git a/sw/source/uibase/shells/textfld.cxx b/sw/source/uibase/shells/textfld.cxx
index 79863dd95dd9..59ab6bc819ed 100644
--- a/sw/source/uibase/shells/textfld.cxx
+++ b/sw/source/uibase/shells/textfld.cxx
@@ -542,7 +542,7 @@ void SwTextShell::ExecField(SfxRequest &rReq)
{
rSh.SetRedlineComment(sCommentText);
GetView().AttrChangedNotify(GetShellPtr());
- const_cast<SwRangeRedline*>(pRedline)->MaybeNotifyModification();
+ MaybeNotifyRedlineModification(const_cast<SwRangeRedline*>(pRedline), pRedline->GetDoc());
break;
}
commit eb151c19b9023e8ff794944ff75b9540d8200acf
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Nov 8 17:05:59 2017 +0000
ofz: bad mnRangeOpPosInSymbol
Change-Id: Ieae5a81a1b475fd56cce76c43dab11c2d9fcbe6c
Reviewed-on: https://gerrit.libreoffice.org/44499
Reviewed-by: Eike Rathke <erack at redhat.com>
Tested-by: Jenkins <ci at libreoffice.org>
(cherry picked from commit f17640a95b4c65809f8573c778a293c836a847cd)
diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx
index ff7484633e99..77760218215a 100644
--- a/sc/source/core/tool/compiler.cxx
+++ b/sc/source/core/tool/compiler.cxx
@@ -2678,6 +2678,8 @@ Label_MaskStateMachine:
{
SetError( FormulaError::StringOverflow );
nLen = MAXSTRLEN-1;
+ if (mnRangeOpPosInSymbol > nLen)
+ mnRangeOpPosInSymbol = -1;
}
lcl_UnicodeStrNCpy( cSymbol, aSymbol.getStr(), nLen );
pSym = &cSymbol[nLen];
commit 59c4c3983c923a528b87dac27fccffdb9f46d741
Author: Caolán McNamara <caolanm at redhat.com>
Date: Sun Nov 12 21:16:42 2017 +0000
ofz+valgrind: Conditional jump or move depends on uninitialised value
if, before lcl_UnicodeStrNCpy is called, aSymbol contains embedded
nulls then the aSymbol.getLength() and the mnRangeOpPosInSymbol value
derived from an earlier aSymbol.getLength() include the range after
the embedded null, while lcl_UnicodeStrNCpy stops at the first
embedded null leaving cSymbol with uninitialized value that
are later read from it.
Conditional jump or move depends on uninitialised value(s)
at 0x23BFBCA0: ScCompiler::IsReference(rtl::OUString const&, rtl::OUString const*) (compiler.cxx:3275)
by 0x23BFFF4C: ScCompiler::NextNewToken(bool) (compiler.cxx:4248)
by 0x23C00D20: ScCompiler::CompileString(rtl::OUString const&) (compiler.cxx:4419)
by 0x23A29FAF: ScFormulaCell::Compile(rtl::OUString const&, bool, formula::FormulaGrammar::Grammar) (formulacell.cxx:1118)
by 0x23A278B7: ScFormulaCell::ScFormulaCell(ScDocument*, ScAddress const&, rtl::OUString const&, formula::FormulaGrammar::Grammar, ScMatrixMode) (formulacell.cxx:656)
by 0x23772EC3: ScColumn::ParseString(ScCellValue&, int, short, rtl::OUString const&, formula::FormulaGrammar::AddressConvention, ScSetStringParam const*) (column3.cxx:1729)
by 0x2377354B: ScColumn::SetString(int, short, rtl::OUString const&, formula::FormulaGrammar::AddressConvention, ScSetStringParam*) (column3.cxx:1851)
by 0x23AE2B97: ScTable::SetString(short, int, short, rtl::OUString const&, ScSetStringParam*) (table2.cxx:1369)
by 0x23897045: ScDocument::SetString(short, int, short, rtl::OUString const&, ScSetStringParam*) (document.cxx:3377)
by 0x1F35F41C: ScEEImport::WriteToDocument(bool, double, SvNumberFormatter*, bool) (eeimpars.cxx:400)
by 0x1F366F3B: ScFormatFilterPluginImpl::ScImportRTF(SvStream&, rtl::OUString const&, ScDocument*, ScRange&) (rtfimp.cxx:34)
Change-Id: Iefc6be6c3a383bd9b3cdeaa896c07e24e5100dc7
Reviewed-on: https://gerrit.libreoffice.org/44658
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Eike Rathke <erack at redhat.com>
(cherry picked from commit 6be596c282f84a3cb3a62edccfdfbf69663cf59e)
Reviewed-on: https://gerrit.libreoffice.org/44690
(cherry picked from commit 8959754d2617dad38968ca008791e6431afcbdbd)
diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx
index 27ed3631eb9a..ff7484633e99 100644
--- a/sc/source/core/tool/compiler.cxx
+++ b/sc/source/core/tool/compiler.cxx
... etc. - the rest is truncated
More information about the Libreoffice-commits
mailing list