[ooo-build-commit] .: Branch 'ooo-build-3-2-1' - patches/dev300
Petr Mladek
pmladek at kemper.freedesktop.org
Tue Aug 24 03:10:04 PDT 2010
patches/dev300/SA40775.diff | 204 ++++++++++++++++++++++++++++++++++++++++++++
patches/dev300/apply | 5 -
2 files changed, 208 insertions(+), 1 deletion(-)
New commits:
commit bdf40e5ad1dda3b3b2dd60d3fdafffaf0be817b8
Author: Petr Mladek <pmladek at walk.suse.cz>
Date: Tue Aug 24 11:44:48 2010 +0200
fix two impress vulnerabilities (CVE-2010-2935, CVE-2010-2936, rh#622529)
* patches/dev300/SA40775.diff: fix an integer truncation error, leading to
heap-based buffer overflow when processing dictionary property items of
the input *.ppt file (CVE-2010-2935); fix a short integer overflow, leading
to heap-based buffer overflow, when processing *.ppt document with too big
polygons (CVE-2010-2936); found by Charlie Miller; Secunia Advisory SA40775
* patches/dev300/apply: add the above diff
diff --git a/patches/dev300/SA40775.diff b/patches/dev300/SA40775.diff
new file mode 100644
index 0000000..dbed40a
--- /dev/null
+++ b/patches/dev300/SA40775.diff
@@ -0,0 +1,204 @@
+diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
+--- sd/source/filter/ppt/propread.cxx Fri Aug 06 14:53:07 2010 +0200
++++ sd/source/filter/ppt/propread.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -29,6 +29,7 @@
+ #include "precompiled_sd.hxx"
+ #include <propread.hxx>
+ #include <tools/bigint.hxx>
++#include "tools/debug.hxx"
+ #include "rtl/tencinfo.h"
+ #include "rtl/textenc.h"
+
+@@ -90,6 +91,17 @@
+
+ // -----------------------------------------------------------------------
+
++static xub_StrLen lcl_getMaxSafeStrLen(sal_uInt32 nSize)
++{
++ nSize -= 1; //Drop NULL terminator
++
++ //If it won't fit in a string, clip it to the max size that does
++ if (nSize > STRING_MAXLEN)
++ nSize = STRING_MAXLEN;
++
++ return nSize;
++}
++
+ BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
+ {
+ sal_uInt32 i, nItemSize, nType, nItemPos;
+@@ -108,36 +120,43 @@
+ {
+ case VT_LPSTR :
+ {
+- if ( (sal_uInt16)nItemSize )
++ if ( nItemSize )
+ {
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nItemSize >>= 1;
+- if ( (sal_uInt16)nItemSize > 1 )
++ sal_Char* pString = new sal_Char[ nItemSize ];
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+ {
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pWString[ i ];
+- rString = String( pWString, (sal_uInt16)nItemSize - 1 );
+- }
+- else
+- rString = String();
+- bRetValue = sal_True;
+- }
+- else
+- {
+- SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
+- if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
+- {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( ByteString( pString ), mnTextEnc );
++ nItemSize >>= 1;
++ if ( nItemSize > 1 )
++ {
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pWString[ i ];
++ rString = String( pWString, lcl_getMaxSafeStrLen(nItemSize) );
++ }
+ else
+ rString = String();
+ bRetValue = sal_True;
+ }
++ else
++ {
++ SvMemoryStream::Read( pString, nItemSize );
++ if ( pString[ nItemSize - 1 ] == 0 )
++ {
++ if ( nItemSize > 1 )
++ rString = String( ByteString( pString ), mnTextEnc );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign )
+ SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 ); // dword align
+@@ -148,18 +167,25 @@
+ {
+ if ( nItemSize )
+ {
+- sal_Unicode* pString = new sal_Unicode[ (sal_uInt16)nItemSize ];
+- for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
+- *this >> pString[ i ];
+- if ( pString[ i - 1 ] == 0 )
++ try
+ {
+- if ( (sal_uInt16)nItemSize > 1 )
+- rString = String( pString, (sal_uInt16)nItemSize - 1 );
+- else
+- rString = String();
+- bRetValue = sal_True;
++ sal_Unicode* pString = new sal_Unicode[ nItemSize ];
++ for ( i = 0; i < nItemSize; i++ )
++ *this >> pString[ i ];
++ if ( pString[ i - 1 ] == 0 )
++ {
++ if ( (sal_uInt16)nItemSize > 1 )
++ rString = String( pString, lcl_getMaxSafeStrLen(nItemSize) );
++ else
++ rString = String();
++ bRetValue = sal_True;
++ }
++ delete[] pString;
+ }
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd PropItem::Read bad alloc" );
++ }
+ }
+ if ( bAlign && ( nItemSize & 1 ) )
+ SeekRel( 2 ); // dword align
+@@ -349,24 +375,31 @@
+ for ( sal_uInt32 i = 0; i < nDictCount; i++ )
+ {
+ aStream >> nId >> nSize;
+- if ( (sal_uInt16)nSize )
++ if ( nSize )
+ {
+ String aString;
+ nPos = aStream.Tell();
+- sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
+- aStream.Read( pString, (sal_uInt16)nSize );
+- if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ try
+ {
+- nSize >>= 1;
+- aStream.Seek( nPos );
+- sal_Unicode* pWString = (sal_Unicode*)pString;
+- for ( i = 0; i < (sal_uInt16)nSize; i++ )
+- aStream >> pWString[ i ];
+- aString = String( pWString, (sal_uInt16)nSize - 1 );
++ sal_Char* pString = new sal_Char[ nSize ];
++ aStream.Read( pString, nSize );
++ if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
++ {
++ nSize >>= 1;
++ aStream.Seek( nPos );
++ sal_Unicode* pWString = (sal_Unicode*)pString;
++ for ( i = 0; i < nSize; i++ )
++ aStream >> pWString[ i ];
++ aString = String( pWString, lcl_getMaxSafeStrLen(nSize) );
++ }
++ else
++ aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
++ delete[] pString;
+ }
+- else
+- aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
+- delete[] pString;
++ catch( const std::bad_alloc& )
++ {
++ DBG_ERROR( "sd Section::GetDictionary bad alloc" );
++ }
+ if ( !aString.Len() )
+ break;
+ aDict.AddProperty( nId, aString );
+@@ -502,6 +502,11 @@
+ }
+ if ( nPropSize )
+ {
++ if ( nPropSize > nStrmSize )
++ {
++ nPropCount = 0;
++ break;
++ }
+ pStrm->Seek( nPropOfs + nSecOfs );
+ // make sure we don't overflow the section size
+ if( nPropSize > nSecSize - nSecOfs )
+diff -r 5b1ceed28385 tools/source/generic/poly.cxx
+--- tools/source/generic/poly.cxx Fri Aug 06 14:53:07 2010 +0200
++++ tools/source/generic/poly.cxx Mon Aug 09 14:04:21 2010 +0200
+@@ -243,6 +243,11 @@
+ void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon* pInitPoly )
+ {
+ const ULONG nSpaceSize = nSpace * sizeof( Point );
++
++ //Can't fit this in :-(, throw ?
++ if (mnPoints + nSpace > USHRT_MAX)
++ return;
++
+ const USHORT nNewSize = mnPoints + nSpace;
+
+ if( nPos >= mnPoints )
+
diff --git a/patches/dev300/apply b/patches/dev300/apply
index ccf5c7c..ede62d2 100644
--- a/patches/dev300/apply
+++ b/patches/dev300/apply
@@ -19,7 +19,7 @@ Common : PreprocessPatches, BuildBits, TemporaryHacks, FixesNotForUpstream, \
PopupRemoval, LinkWarningDlg, InternalCairo, Lockdown, \
FedoraCommonFixes, InternalMesaHeaders, LayoutDialogs, Fuzz, \
CalcRowLimit, Gcc44, Gcc45, BuildFix, WriterDocComparison, \
- OptionalIconThemes, Toolbars, MySQL, BorderTypes
+ OptionalIconThemes, Toolbars, MySQL, BorderTypes, Security
LinuxCommon : Common, Defaults, TangoIcons, FontConfigTemporaryHacks, \
FedoraLinuxOnlyFixes, LinuxOnly, SystemBits, \
@@ -4098,6 +4098,9 @@ emf+-canvas-vcl-clear.diff, rodo
[ OpenGLTransitions ]
transogl-transitions-newsflash-pptin.diff
+[ Security ]
+SA40775.diff
+
[ CalcExperimental ]
SectionOwner => kohei
More information about the ooo-build-commit
mailing list