[ooo-build-commit] Branch 'ooo-build-3-1-1' - patches/dev300

Radek Doulík rodo at kemper.freedesktop.org
Tue Oct 20 03:41:14 PDT 2009 

 patches/dev300/apply                                    |    1 
 patches/dev300/sd-ppt-fix-document-summary-reading.diff |   29 ++++++++++++++++
 2 files changed, 30 insertions(+)

New commits:
commit 20a333aff78d6eb721375a5b7830f394afadda06
Author: Radek Doulik <rodo at novell.com>
Date:   Tue Oct 20 12:30:59 2009 +0200

    fix problem in ppt reading causing crash or memory saturation
    
    * patches/dev300/apply:
    * patches/dev300/sd-ppt-fix-document-summary-reading.diff:

diff --git a/patches/dev300/apply b/patches/dev300/apply
index b311fc6..8ee7d77 100644
--- a/patches/dev300/apply
+++ b/patches/dev300/apply
@@ -3472,3 +3472,4 @@ emf+-driver-string.diff, n#519715, rodo
 [ Fixes ]
 sd-print-fix-pageoffset.diff, n#537931, rodo
 svx-ppt-import-fix-bullet-size.diff, n#515972, rodo
+sd-ppt-fix-document-summary-reading.diff, n#546758, rodo
diff --git a/patches/dev300/sd-ppt-fix-document-summary-reading.diff b/patches/dev300/sd-ppt-fix-document-summary-reading.diff
new file mode 100644
index 0000000..928d473
--- /dev/null
+++ b/patches/dev300/sd-ppt-fix-document-summary-reading.diff
@@ -0,0 +1,29 @@
+--- ../ooo310-m19-orig/sd/source/filter/ppt/propread.cxx	2009-10-20 12:13:06.000000000 +0200
++++ sd/source/filter/ppt/propread.cxx	2009-10-20 12:04:46.000000000 +0200
+@@ -471,11 +471,13 @@ void Section::Read( SvStorageStream *pSt
+ 						nPropSize += ( nTemp + 4 );
+ 					break;
+ 
+-					case VT_LPWSTR :
++				    case VT_LPWSTR : {
+ 						*pStrm >> nTemp;
+-						nPropSize += ( nTemp << 1 ) + 4;
++						// looks like these are aligned to 4 bytes
++						sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
++						nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
+ 					break;
+-
++				    }
+ 					case VT_BLOB_OBJECT :
+ 					case VT_BLOB :
+ 					case VT_CF :
+@@ -504,6 +506,9 @@ void Section::Read( SvStorageStream *pSt
+ 			if ( nPropSize )
+ 			{
+ 				pStrm->Seek( nPropOfs + nSecOfs );
++				// make sure we don't overflow the section size
++				if( nPropSize > nSecSize - nSecOfs )
++				    nPropSize = nSecSize - nSecOfs;
+ 				sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
+ 				pStrm->Read( pBuf, nPropSize );
+ 				AddProperty( nPropId, pBuf, nPropSize );

More information about the ooo-build-commit mailing list