[Libreoffice-commits] core.git: 2 commits - sw/source vcl/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Fri May 31 13:12:57 UTC 2019 

 sw/source/filter/html/swhtml.cxx |    3 ++-
 vcl/source/fontsubset/cff.cxx    |    5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

New commits:
commit 6340986298afe94400f1d7b0afca2a45f2f0aa86
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri May 31 12:26:21 2019 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri May 31 15:12:01 2019 +0200

    ofz#15045 configuration unavailable during fuzzing
    
    Change-Id: I5bc3175a7cced2429b2ce8a43cbba07e32155d72
    Reviewed-on: https://gerrit.libreoffice.org/73254
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/sw/source/filter/html/swhtml.cxx b/sw/source/filter/html/swhtml.cxx
index a55206287bbb..5eb5d6b437b1 100644
--- a/sw/source/filter/html/swhtml.cxx
+++ b/sw/source/filter/html/swhtml.cxx
@@ -42,6 +42,7 @@
 #include <svtools/htmltokn.h>
 #include <svtools/htmlkywd.hxx>
 #include <svtools/ctrltool.hxx>
+#include <unotools/configmgr.hxx>
 #include <unotools/pathoptions.hxx>
 #include <vcl/svapp.hxx>
 #include <vcl/wrkwin.hxx>
@@ -314,7 +315,7 @@ SwHTMLParser::SwHTMLParser( SwDoc* pD, SwPaM& rCursor, SvStream& rIn,
     m_pTempViewFrame(nullptr)
 {
     // If requested explicitly, then force ignoring of comments (don't create postits for them).
-    if (officecfg::Office::Writer::Filter::Import::HTML::IgnoreComments::get())
+    if (!utl::ConfigManager::IsFuzzing() && officecfg::Office::Writer::Filter::Import::HTML::IgnoreComments::get())
         m_bIgnoreHTMLComments = true;
 
     m_nEventId = nullptr;
commit 0733e658463c8f78b104b218955d115707baf20f
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Fri May 31 12:05:51 2019 +0200
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Fri May 31 15:11:59 2019 +0200

    Fix -fsanitize=shift-exponent
    
    ...as seen with `--convert-to pdf cdr/fdo55522-1.cdr` with cdr/fdo55522-1.cdr as
    obtained by bin/get-bugzilla-attachments-by-mimetype (i.e., the attachment at
    <https://bugs.documentfoundation.org/show_bug.cgi?id=55522#c0>):
    
    > vcl/source/fontsubset/cff.cxx:737:35: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'
    >  #0 in CffSubsetterContext::convertOneTypeOp() at vcl/source/fontsubset/cff.cxx:737:35 (instdir/program/libvcllo.so +0x9489ce3)
    >  #1 in CffSubsetterContext::convert2Type1Ops(CffLocal*, unsigned char const*, int, unsigned char*) at vcl/source/fontsubset/cff.cxx:1117:9 (instdir/program/libvcllo.so +0x94970d3)
    >  #2 in CffSubsetterContext::emitAsType1(Type1Emitter&, unsigned short const*, unsigned char const*, int*, int, FontSubsetInfo&) at vcl/source/fontsubset/cff.cxx:1969:28 (instdir/program/libvcllo.so +0x94a9ec8)
    [...]
    
    If any of these "overflow" bits of nHintMask should have been set by the
    preceding for loop, mbIgnoreHints would have been set and this for loop wouldn't
    be reached.
    
    Change-Id: I0fd6de10610b52300e081770e9df1078e7ee5f92
    Reviewed-on: https://gerrit.libreoffice.org/73247
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/vcl/source/fontsubset/cff.cxx b/vcl/source/fontsubset/cff.cxx
index d9abcca4ef45..17112310ece0 100644
--- a/vcl/source/fontsubset/cff.cxx
+++ b/vcl/source/fontsubset/cff.cxx
@@ -713,6 +713,7 @@ void CffSubsetterContext::convertOneTypeOp()
         int nCntrBits[2] = {0,0};
         U8 nMaskBit = 0;
         U8 nMaskByte = 0;
+        int const MASK_BITS = 8*sizeof(nHintMask);
         for( i = 0; i < mnHintSize; i+=2, nMaskBit>>=1) {
             if( !nMaskBit) {
                 nMaskByte = *(mpReadPtr++);
@@ -720,7 +721,7 @@ void CffSubsetterContext::convertOneTypeOp()
             }
             if( !(nMaskByte & nMaskBit))
                 continue;
-            if( i >= 8*int(sizeof(nHintMask)))
+            if( i >= MASK_BITS)
                 mbIgnoreHints = true;
             if( mbIgnoreHints)
                 continue;
@@ -734,7 +735,7 @@ void CffSubsetterContext::convertOneTypeOp()
             break;
 
         for( i = 0; i < mnHintSize; i+=2) {
-            if( !(nHintMask & (1U << i)))
+            if(i >= MASK_BITS || !(nHintMask & (1U << i)))
                 continue;
             writeType1Val( mnHintStack[i]);
             writeType1Val( mnHintStack[i+1] - mnHintStack[i]);

More information about the Libreoffice-commits mailing list