[libreoffice] 01/01: add 1:3.5.4+dfsg2-0+deb7u5 (wheezy-security) changes
This is an automated email from the git hooks/post-receive script.
rene pushed a commit to branch debian-wheezy-3.5
in repository libreoffice.
commit 46c7529905b9c535facaf56739ed7de9eb599f10
Author: Rene Engelhard <rene@debian.org>
Date: Thu Nov 5 21:34:14 2015 +0100
add 1:3.5.4+dfsg2-0+deb7u5 (wheezy-security) changes
---
changelog | 16 ++
patches/LinkUpdateMode-is-a-global-setting.diff | 288 ++++++++++++++++++++++++
patches/coverity-1266485.diff | 115 ++++++++++
patches/pStatus-vector-offsets.diff | 82 +++++++
patches/series | 4 +
patches/ww8dontwrap.diff | 35 +++
6 files changed, 540 insertions(+)
diff --git a/changelog b/changelog
index c3d69e4..c83e04f 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,19 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u5) wheezy-security; urgency=high
+
+ * debian/patches/CVE-2015-4551.diff: backport fix for Arbritary
+ file disclosure vulnerabbility (CVE-2014-4551)
+ * debian/patches/ww8dontwrap.diff: fix 'LibreOffice "Piece Table Counter"
+ Invalid Check Design Error Vulnerability' (CVE-2015-5213)
+ * debian/patches/coverity-1266485.diff: fix 'LibreOffice "PrinterSetup
+ Length" Integer Underflow Vulnerability' (CVE-2015-5212)
+
+ (thanks to Björn Michaelsen for preparing the patches)
+
+ * debian/patches/pStatus-vector-offsets.diff: fix 'LibreOffice Bookmark
+ Status Memory Corruption Vulnerability' (CVE-2015-5214)
+
+ -- Rene Engelhard <rene@debian.org> Fri, 28 Aug 2015 17:24:42 +0200
+
libreoffice (1:3.5.4+dfsg2-0+deb7u4) wheezy-security; urgency=high
* debian/patches/CVE-2015-1774-hwpreader-check-reads.patch: fix
diff --git a/patches/LinkUpdateMode-is-a-global-setting.diff b/patches/LinkUpdateMode-is-a-global-setting.diff
new file mode 100644
index 0000000..6ff75c9
--- /dev/null
+++ b/patches/LinkUpdateMode-is-a-global-setting.diff
@@ -0,0 +1,288 @@
+commit 35d4fb9cfc3d2ff8145f28fadfeef1c782ae8483
+Author: Stephan Bergmann <sbergman@redhat.com>
+Date: Tue Jul 7 12:08:01 2015 +0200
+
+ LinkUpdateMode is a global setting
+
+ (cherry picked from commit 77cc71476bae2b3655102e2c29d36af40a393201)
+ Conflicts:
+ sw/source/core/doc/DocumentLinksAdministrationManager.cxx
+ sw/source/filter/xml/xmlimp.cxx
+
+ Reviewed-on: https://gerrit.libreoffice.org/16424
+ Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
+ Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+ Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>
+
+ Change-Id: Ida1257337c6e0916f2228fe053d9c9f085183af6
+
+diff --git a/sc/source/filter/xml/xmlimprt.cxx b/sc/source/filter/xml/xmlimprt.cxx
+index 166cef9..7227f82 100644
+--- a/sc/source/filter/xml/xmlimprt.cxx
++++ b/sc/source/filter/xml/xmlimprt.cxx
+@@ -2278,6 +2278,10 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+ rtl::OUString sCTName(RTL_CONSTASCII_USTRINGPARAM("TrackedChangesProtectionKey"));
+ rtl::OUString sVBName(RTL_CONSTASCII_USTRINGPARAM("VBACompatibilityMode"));
+ rtl::OUString sSCName(RTL_CONSTASCII_USTRINGPARAM("ScriptConfiguration"));
++ rtl::OUString sLUName(RTL_CONSTASCII_USTRINGPARAM("LinkUpdateMode"));
++ com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> aFilteredProps(
++ aConfigProps.getLength());
++ sal_Int32 nFilteredPropsLen = 0;
+ for (sal_Int32 i = nCount - 1; i >= 0; --i)
+ {
+ if (aConfigProps[i].Name == sCTName)
+@@ -2312,11 +2316,16 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence<beans::PropertyVa
+ xImportInfo->setPropertyValue( aConfigProps[i].Name, aConfigProps[i].Value );
+ }
+ }
++ if (aConfigProps[i].Name != sLUName)
++ {
++ aFilteredProps[nFilteredPropsLen++] = aConfigProps[i];
++ }
+ }
++ aFilteredProps.realloc(nFilteredPropsLen);
+ uno::Reference <uno::XInterface> xInterface = xMultiServiceFactory->createInstance(rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("com.sun.star.comp.SpreadsheetSettings")));
+ uno::Reference <beans::XPropertySet> xProperties(xInterface, uno::UNO_QUERY);
+ if (xProperties.is())
+- SvXMLUnitConverter::convertPropertySet(xProperties, aConfigProps);
++ SvXMLUnitConverter::convertPropertySet(xProperties, aFilteredProps);
+ }
+ }
+ }
+diff --git a/sc/source/ui/docshell/docsh4.cxx b/sc/source/ui/docshell/docsh4.cxx
+index 93d5c42..7332ed2 100644
+--- a/sc/source/ui/docshell/docsh4.cxx
++++ b/sc/source/ui/docshell/docsh4.cxx
+@@ -118,6 +118,7 @@ using namespace ::com::sun::star;
+ #include "sharedocdlg.hxx"
+ #include "conditio.hxx"
+ #include "sheetevents.hxx"
++#include "unotools/securityoptions.hxx"
+
+ //------------------------------------------------------------------
+
+@@ -447,11 +448,21 @@ void ScDocShell::Execute( SfxRequest& rReq )
+
+ if (nCanUpdate == com::sun::star::document::UpdateDocMode::NO_UPDATE)
+ nSet = LM_NEVER;
+- else if (nCanUpdate == com::sun::star::document::UpdateDocMode::QUIET_UPDATE &&
+- nSet == LM_ON_DEMAND)
+- nSet = LM_NEVER;
+ else if (nCanUpdate == com::sun::star::document::UpdateDocMode::FULL_UPDATE)
+ nSet = LM_ALWAYS;
++ if (nSet == LM_ALWAYS
++ && !(SvtSecurityOptions()
++ .isTrustedLocationUriForUpdatingLinks(
++ rtl::OUString(GetMedium() == nullptr
++ ? String() : GetMedium()->GetName()))))
++ {
++ nSet = LM_ON_DEMAND;
++ }
++ if (nCanUpdate == com::sun::star::document::UpdateDocMode::QUIET_UPDATE
++ && nSet == LM_ON_DEMAND)
++ {
++ nSet = LM_NEVER;
++ }
+
+ if(nSet==LM_ON_DEMAND)
+ {
+diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx
+index cdf5def..e40671b 100644
+--- a/sw/source/core/doc/docnew.cxx
++++ b/sw/source/core/doc/docnew.cxx
+@@ -114,6 +114,7 @@
+
+ #include <sfx2/Metadatable.hxx>
+ #include <fmtmeta.hxx> // MetaFieldManager
++#include <unotools/securityoptions.hxx>
+
+ using namespace ::com::sun::star;
+ using namespace ::com::sun::star::document;
+@@ -924,6 +925,15 @@ void SwDoc::UpdateLinks( sal_Bool bUI )
+ case document::UpdateDocMode::QUIET_UPDATE:bAskUpdate = sal_False; break;
+ case document::UpdateDocMode::FULL_UPDATE: bAskUpdate = sal_True; break;
+ }
++ if (nLinkMode == AUTOMATIC && !bAskUpdate)
++ {
++ SfxMedium * medium = GetDocShell()->GetMedium();
++ if (!SvtSecurityOptions().isTrustedLocationUriForUpdatingLinks(
++ rtl::OUString(medium == nullptr ? String() : medium->GetName())))
++ {
++ bAskUpdate = true;
++ }
++ }
+ if( bUpdate && (bUI || !bAskUpdate) )
+ {
+ SfxMedium* pMedium = GetDocShell()->GetMedium();
+diff --git a/sw/source/filter/xml/xmlimp.cxx b/sw/source/filter/xml/xmlimp.cxx
+index ca700d0..36b3fa9 100644
+--- a/sw/source/filter/xml/xmlimp.cxx
++++ b/sw/source/filter/xml/xmlimp.cxx
+@@ -1126,42 +1126,42 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+ if( !xInfo.is() )
+ return;
+
+- boost::unordered_set< String, StringHashRef, StringEqRef > aSet;
+- aSet.insert(String("ForbiddenCharacters", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("IsKernAsianPunctuation", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("CharacterCompressionType", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("LinkUpdateMode", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("FieldAutoUpdate", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("ChartAutoUpdate", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("AddParaTableSpacing", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("AddParaTableSpacingAtStart", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintAnnotationMode", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintBlackFonts", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintControls", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintDrawings", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintGraphics", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintLeftPages", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintPageBackground", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintProspect", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintReversed", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintRightPages", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintFaxName", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintPaperFromSetup", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintTables", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintSingleJobs", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("UpdateFromTemplate", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrinterIndependentLayout", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("PrintEmptyPages", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("SmallCapsPercentage66", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("TabOverflow", RTL_TEXTENCODING_ASCII_US));
+- aSet.insert(String("UnbreakableNumberings", RTL_TEXTENCODING_ASCII_US));
++ boost::unordered_set< String, StringHashRef, StringEqRef > aExcludeAlways;
++ aExcludeAlways.insert(String("LinkUpdateMode", RTL_TEXTENCODING_ASCII_US));
++ boost::unordered_set< String, StringHashRef, StringEqRef > aExcludeWhenNotLoadingUserSettings;
++ aExcludeWhenNotLoadingUserSettings.insert(String("ForbiddenCharacters", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("IsKernAsianPunctuation", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("CharacterCompressionType", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("FieldAutoUpdate", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("ChartAutoUpdate", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("AddParaTableSpacing", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("AddParaTableSpacingAtStart", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintAnnotationMode", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintBlackFonts", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintControls", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintDrawings", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintGraphics", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintLeftPages", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintPageBackground", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintProspect", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintReversed", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintRightPages", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintFaxName", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintPaperFromSetup", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintTables", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintSingleJobs", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("UpdateFromTemplate", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrinterIndependentLayout", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("PrintEmptyPages", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("SmallCapsPercentage66", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("TabOverflow", RTL_TEXTENCODING_ASCII_US));
++ aExcludeWhenNotLoadingUserSettings.insert(String("UnbreakableNumberings", RTL_TEXTENCODING_ASCII_US));
+
+ sal_Int32 nCount = aConfigProps.getLength();
+ const PropertyValue* pValues = aConfigProps.getConstArray();
+
+ SvtSaveOptions aSaveOpt;
+- sal_Bool bIsUserSetting = aSaveOpt.IsLoadUserSettings(),
+- bSet = bIsUserSetting;
++ sal_Bool bIsUserSetting = aSaveOpt.IsLoadUserSettings();
+
+ // for some properties we don't want to use the application
+ // default if they're missing. So we watch for them in the loop
+@@ -1198,12 +1198,12 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC
+
+ while( nCount-- )
+ {
+- if( !bIsUserSetting )
++ bool bSet = aExcludeAlways.find(pValues->Name) == aExcludeAlways.end();
++ if( bSet && !bIsUserSetting
++ && (aExcludeWhenNotLoadingUserSettings.find(pValues->Name)
++ != aExcludeWhenNotLoadingUserSettings.end()) )
+ {
+- // test over the hash value if the entry is in the table.
+- String aStr(pValues->Name);
+-
+- bSet = aSet.find(aStr) == aSet.end();
++ bSet = false;
+ }
+
+ if( bSet )
+diff --git a/unotools/inc/unotools/securityoptions.hxx b/unotools/inc/unotools/securityoptions.hxx
+index fd1b7c7..c7b495a 100644
+--- a/unotools/inc/unotools/securityoptions.hxx
++++ b/unotools/inc/unotools/securityoptions.hxx
+@@ -192,6 +192,9 @@ class UNOTOOLS_DLLPUBLIC SvtSecurityOptions: public utl::detail::Options
+ ::com::sun::star::uno::Sequence< ::rtl::OUString > GetSecureURLs( ) const ;
+ void SetSecureURLs( const ::com::sun::star::uno::Sequence< ::rtl::OUString >& seqURLList ) ;
+
++ bool isTrustedLocationUri(rtl::OUString const & uri) const;
++ bool isTrustedLocationUriForUpdatingLinks(rtl::OUString const & uri) const;
++
+ /*-****************************************************************************************************//**
+ @short interface methods to get and set value of config key "org.openoffice.Office.Common/Security/Scripting/StarOfficeBasic"
+ @descr These value determines how StarOffice Basic scripts should be handled.
+diff --git a/unotools/source/config/securityoptions.cxx b/unotools/source/config/securityoptions.cxx
+index 71ca268..59db9b8 100644
+--- a/unotools/source/config/securityoptions.cxx
++++ b/unotools/source/config/securityoptions.cxx
+@@ -39,6 +39,7 @@
+ #include <tools/wldcrd.hxx>
+
+ #include <unotools/pathoptions.hxx>
++#include <unotools/ucbhelper.hxx>
+
+ #include <rtl/logfile.hxx>
+ #include "itemholder1.hxx"
+@@ -133,6 +134,7 @@ using namespace ::com::sun::star::uno ;
+
+ class SvtSecurityOptions_Impl : public ConfigItem
+ {
++ friend class SvtSecurityOptions;
+ //-------------------------------------------------------------------------------------------------------------
+ // public methods
+ //-------------------------------------------------------------------------------------------------------------
+@@ -189,8 +191,10 @@ class SvtSecurityOptions_Impl : public ConfigItem
+
+ Sequence< OUString > GetSecureURLs ( ) const ;
+ void SetSecureURLs ( const Sequence< OUString >& seqURLList ) ;
++
+ sal_Bool IsSecureURL ( const OUString& sURL,
+ const OUString& sReferer ) const ;
++
+ inline sal_Int32 GetMacroSecurityLevel ( ) const ;
+ void SetMacroSecurityLevel ( sal_Int32 _nLevel ) ;
+
+@@ -928,6 +932,30 @@ sal_Bool SvtSecurityOptions_Impl::IsSecureURL( const OUString& sURL ,
+ return bState;
+ }
+
++bool SvtSecurityOptions::isTrustedLocationUri(OUString const & uri) const {
++ MutexGuard g(GetInitMutex());
++ for (sal_Int32 i = 0; i != m_pDataContainer->m_seqSecureURLs.getLength();
++ ++i)
++ {
++ if (utl::UCBContentHelper::IsSubPath(
++ m_pDataContainer->m_seqSecureURLs[i], uri))
++ {
++ return true;
++ }
++ }
++ return false;
++}
++
++bool SvtSecurityOptions::isTrustedLocationUriForUpdatingLinks(
++ OUString const & uri) const
++{
++ const OUString uristart = uri.copy(0, 8);
++ return GetMacroSecurityLevel() == 0 || uri.isEmpty()
++ || uristart.equalsIgnoreAsciiCaseAsciiL("private:", 8)
++ || isTrustedLocationUri(uri);
++}
++
++
+ inline sal_Int32 SvtSecurityOptions_Impl::GetMacroSecurityLevel() const
+ {
+ return m_nSecLevel;
diff --git a/patches/coverity-1266485.diff b/patches/coverity-1266485.diff
new file mode 100644
index 0000000..92aed93
--- /dev/null
+++ b/patches/coverity-1266485.diff
@@ -0,0 +1,115 @@
+From 0a1f215c8ebe76ff88f8a8e46a4956f45e96a9cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 26 Jan 2015 11:26:41 +0000
+Subject: [PATCH] coverity#1266485 Untrusted value as argument
+
+(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171)
+
+min legal size here is > 4
+
+(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3)
+
+(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab)
+Reviewed-on: https://gerrit.libreoffice.org/16983
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Conflicts:
+ vcl/source/gdi/jobset.cxx
+
+9f68d000b32623db4d949d13284043630f5689f4
+
+Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c
+DebianPatchName: coverity-1266485.diff
+---
+ vcl/source/gdi/jobset.cxx | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx
+index 14b86b2..ed27fb4 100644
+--- a/vcl/source/gdi/jobset.cxx
++++ b/vcl/source/gdi/jobset.cxx
+@@ -31,6 +31,7 @@
+ #include <tools/stream.hxx>
+ #include <rtl/alloc.h>
+ #include <vcl/jobset.hxx>
++#include <boost/scoped_array.hpp>
+
+ #include <jobset.h>
+
+@@ -277,21 +278,26 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" );
+
+ {
+- sal_Size nFirstPos = rIStream.Tell();
+-
+ sal_uInt16 nLen = 0;
+ rIStream >> nLen;
+- if ( !nLen )
++ if (nLen <= 4)
+ return rIStream;
+
+ sal_uInt16 nSystem = 0;
+ rIStream >> nSystem;
+-
+- char* pTempBuf = new char[nLen];
+- rIStream.Read( pTempBuf, nLen - sizeof( nLen ) - sizeof( nSystem ) );
+- if ( nLen >= sizeof(ImplOldJobSetupData)+4 )
++ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem);
++ if (nRead > rIStream.remainingSize())
++ {
++ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() <<
++ " max possible entries, but " << nRead << " claimed, truncating");
++ return rIStream;
++ }
++ sal_Size nFirstPos = rIStream.Tell();
++ boost::scoped_array<char> pTempBuf(new char[nRead]);
++ rIStream.Read(pTempBuf.get(), nRead);
++ if (nRead >= sizeof(ImplOldJobSetupData))
+ {
+- ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf;
++ ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get();
+ if ( rJobSetup.mpData )
+ {
+ if ( rJobSetup.mpData->mnRefCount == 1 )
+@@ -313,7 +319,7 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ if ( nSystem == JOBSET_FILE364_SYSTEM ||
+ nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf + sizeof( ImplOldJobSetupData ));
++ Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData ));
+ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize );
+ pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem );
+ pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen );
+@@ -331,8 +337,10 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ }
+ if( nSystem == JOBSET_FILE605_SYSTEM )
+ {
+- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
+- while( rIStream.Tell() < nFirstPos + nLen )
++// rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++// while( rIStream.Tell() < nFirstPos + nLen )
++ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen );
++ while( rIStream.Tell() < nFirstPos + nRead )
+ {
+ String aKey, aValue;
+ rIStream.ReadByteString( aKey, RTL_TEXTENCODING_UTF8 );
+@@ -351,13 +359,12 @@ SvStream& operator>>( SvStream& rIStream, JobSetup& rJobSetup )
+ else
+ pJobData->maValueMap[ aKey ] = aValue;
+ }
+- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" );
++ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" );
+ // ensure correct stream position
+- rIStream.Seek( nFirstPos + nLen );
++ rIStream.Seek( nFirstPos + nRead );
+ }
+ }
+ }
+- delete[] pTempBuf;
+ }
+
+ return rIStream;
+--
+1.9.1
+
diff --git a/patches/pStatus-vector-offsets.diff b/patches/pStatus-vector-offsets.diff
new file mode 100644
index 0000000..8e7fcbe
--- /dev/null
+++ b/patches/pStatus-vector-offsets.diff
@@ -0,0 +1,82 @@
+From 92c3a5b80ac575e1c538894b7c1a4170093785b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 13 Aug 2015 10:58:06 +0100
+Subject: convert pStatus to vector and use at to check offsets
+
+(cherry picked from commit ea70088895ed45dc60abf18319acc1b4fa3018dd)
+
+Change-Id: I5186f6a65bb9d5ed8a0d1ab1d71f7e2c13865411
+Reviewed-on: https://gerrit.libreoffice.org/17695
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index 93583c4..f243e4b 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -3972,7 +3972,7 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen
+ }
+
+ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+- : WW8PLCFx(rFib.GetFIBVersion(), false), pStatus(0), nIsEnd(0), nBookmarkId(1)
++ : WW8PLCFx(rFib.GetFIBVersion(), false), nIsEnd(0), nBookmarkId(1)
+ {
+ if( !rFib.fcPlcfbkf || !rFib.lcbPlcfbkf || !rFib.fcPlcfbkl ||
+ !rFib.lcbPlcfbkl || !rFib.fcSttbfbkmk || !rFib.lcbSttbfbkmk )
+@@ -3997,14 +3997,12 @@ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib)
+ nIMax = pBook[0]->GetIMax();
+ if( pBook[1]->GetIMax() < nIMax )
+ nIMax = pBook[1]->GetIMax();
+- pStatus = new eBookStatus[ nIMax ];
+- memset( pStatus, 0, nIMax * sizeof( eBookStatus ) );
++ aStatus.resize(nIMax);
+ }
+ }
+
+ WW8PLCFx_Book::~WW8PLCFx_Book()
+ {
+- delete[] pStatus;
+ delete pBook[1];
+ delete pBook[0];
+ }
+@@ -4122,18 +4120,20 @@ long WW8PLCFx_Book::GetLen() const
+ return nNum;
+ }
+
+-void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat )
++void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat)
+ {
+- OSL_ENSURE(nIndex < nIMax, "set status of non existing bookmark!");
+- pStatus[nIndex] = (eBookStatus)( pStatus[nIndex] | eStat );
++ SAL_WARN_IF(nIndex >= nIMax, "sw.ww8",
++ "bookmark index " << nIndex << " invalid");
++ eBookStatus eStatus = aStatus.at(nIndex);
++ aStatus[nIndex] = static_cast<eBookStatus>(eStatus | eStat);
+ }
+
+ eBookStatus WW8PLCFx_Book::GetStatus() const
+ {
+- if( !pStatus )
++ if (aStatus.empty())
+ return BOOK_NORMAL;
+ long nEndIdx = GetHandle();
+- return ( nEndIdx < nIMax ) ? pStatus[nEndIdx] : BOOK_NORMAL;
++ return ( nEndIdx < nIMax ) ? aStatus[nEndIdx] : BOOK_NORMAL;
+ }
+
+ long WW8PLCFx_Book::GetHandle() const
+diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx
+index a323b84..e9df6cb2 100644
+--- a/sw/source/filter/ww8/ww8scan.hxx
++++ b/sw/source/filter/ww8/ww8scan.hxx
+@@ -703,8 +703,8 @@ class WW8PLCFx_Book : public WW8PLCFx
+ {
+ private:
+ WW8PLCFspecial* pBook[2]; // Start and End Position
+- ::std::vector<String> aBookNames; // Name
+- eBookStatus* pStatus;
++ std::vector<String> aBookNames; // Name
++ std::vector<eBookStatus> aStatus;
+ long nIMax; // Number of Booknotes
+ sal_uInt16 nIsEnd;
+ int nBookmarkId; // counter incremented by GetUniqueBookmarkName.
diff --git a/patches/series b/patches/series
index 68dc4c0..6a150c7 100644
--- a/patches/series
+++ b/patches/series
@@ -54,3 +54,7 @@ odk-link-to-jdk-1.5-docs.diff
oosplash-wait-for-ProcessingDone.diff
CVE-2014-9093.diff
CVE-2015-1774-hwpreader-check-reads.patch
+LinkUpdateMode-is-a-global-setting.diff
+ww8dontwrap.diff
+coverity-1266485.diff
+pStatus-vector-offsets.diff
diff --git a/patches/ww8dontwrap.diff b/patches/ww8dontwrap.diff
new file mode 100644
index 0000000..cb3b0ac
--- /dev/null
+++ b/patches/ww8dontwrap.diff
@@ -0,0 +1,35 @@
+From d0e1f7de2313d2fc6d50ace007d81c654fd27c43 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Mon, 13 Jul 2015 10:31:30 +0100
+Subject: [PATCH] ww8: make sure we don't wrap around
+
+(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39)
+Reviewed-on: https://gerrit.libreoffice.org/16981
+Reviewed-by: David Tardon <dtardon@redhat.com>
+Tested-by: David Tardon <dtardon@redhat.com>
+
+Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2
+DebianPatchName: ww8dontwrap.diff
+---
+ sw/source/filter/ww8/ww8scan.cxx | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
+index b149478..06993b4 100644
+--- a/sw/source/filter/ww8/ww8scan.cxx
++++ b/sw/source/filter/ww8/ww8scan.cxx
+@@ -1538,7 +1538,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF )
+ if( 2 == clxt ) // PLCFfpcd ?
+ break; // PLCFfpcd gefunden
+ if( 1 == clxt ) // clxtGrpprl ?
++ {
++ if (nGrpprl == SHRT_MAX)
++ return NULL;
+ nGrpprl++;
++ }
+ sal_uInt16 nLen(0);
+ *pStr >> nLen;
+ nLeft -= 2 + nLen;
+--
+1.9.1
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git
Reply to: