[ooo-build-commit] patches/dev300

Radek Doulík rodo at kemper.freedesktop.org
Tue Oct 20 03:43:51 PDT 2009 

 patches/dev300/apply                                    |    1 
 patches/dev300/sd-ppt-fix-document-summary-reading.diff |   29 ++++++++++++++++
 2 files changed, 30 insertions(+)

New commits:
commit 5e919afd97564cd77646ffdb1f4e8e0b488cfd00
Author: Radek Doulik <rodo at novell.com>
Date:   Tue Oct 20 12:30:59 2009 +0200

    fix problem in ppt reading causing crash or memory saturation
    
    * patches/dev300/apply:
    * patches/dev300/sd-ppt-fix-document-summary-reading.diff:

diff --git a/patches/dev300/apply b/patches/dev300/apply
index ff71f10..9b527f8 100644
--- a/patches/dev300/apply
+++ b/patches/dev300/apply
@@ -3396,3 +3396,4 @@ sw-no-macro-recorder-in-ui.diff, fridrich
 xmlhelp-build-without-java.diff, rodo
 filter-fix-build-FCFGMerge.cfg.diff, rodo
 store-crash-fix.diff, thorsten
+sd-ppt-fix-document-summary-reading.diff, n#546758, rodo
diff --git a/patches/dev300/sd-ppt-fix-document-summary-reading.diff b/patches/dev300/sd-ppt-fix-document-summary-reading.diff
new file mode 100644
index 0000000..928d473
--- /dev/null
+++ b/patches/dev300/sd-ppt-fix-document-summary-reading.diff
@@ -0,0 +1,29 @@
+--- ../ooo310-m19-orig/sd/source/filter/ppt/propread.cxx	2009-10-20 12:13:06.000000000 +0200
++++ sd/source/filter/ppt/propread.cxx	2009-10-20 12:04:46.000000000 +0200
+@@ -471,11 +471,13 @@ void Section::Read( SvStorageStream *pSt
+ 						nPropSize += ( nTemp + 4 );
+ 					break;
+ 
+-					case VT_LPWSTR :
++				    case VT_LPWSTR : {
+ 						*pStrm >> nTemp;
+-						nPropSize += ( nTemp << 1 ) + 4;
++						// looks like these are aligned to 4 bytes
++						sal_uInt32 nLength = nPropOfs + nSecOfs + nPropSize + ( nTemp << 1 ) + 4;
++						nPropSize += ( nTemp << 1 ) + 4 + (nLength % 4);
+ 					break;
+-
++				    }
+ 					case VT_BLOB_OBJECT :
+ 					case VT_BLOB :
+ 					case VT_CF :
+@@ -504,6 +506,9 @@ void Section::Read( SvStorageStream *pSt
+ 			if ( nPropSize )
+ 			{
+ 				pStrm->Seek( nPropOfs + nSecOfs );
++				// make sure we don't overflow the section size
++				if( nPropSize > nSecSize - nSecOfs )
++				    nPropSize = nSecSize - nSecOfs;
+ 				sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
+ 				pStrm->Read( pBuf, nPropSize );
+ 				AddProperty( nPropId, pBuf, nPropSize );

More information about the ooo-build-commit mailing list