[libreoffice] 01/01: fix CVE-2017-12607/CVE-2017-12608

Rene Engelhard rene at moszumanska.debian.org
Sat Nov 4 00:29:42 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rene pushed a commit to branch debian-jessie-4.3.3
in repository libreoffice.

commit 062f7c5c196bc27f8a69cc0aa43fa6da7c4ee2b3
Author: Rene Engelhard <rene at debian.org>
Date:   Sat Nov 4 01:27:40 2017 +0100

    fix CVE-2017-12607/CVE-2017-12608
---
 patches/CVE-2017-12607.diff |  86 +++++++++++++++++++++++++++++++++++++
 patches/CVE-2017-12608.diff | 100 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 186 insertions(+)

diff --git a/patches/CVE-2017-12607.diff b/patches/CVE-2017-12607.diff
new file mode 100644
index 0000000..1ce488d
--- /dev/null
+++ b/patches/CVE-2017-12607.diff
@@ -0,0 +1,86 @@
+From 334dba623dfb0c4fb2b5292c2d03741b7b33aef1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 26 Aug 2015 11:25:03 +0100
+Subject: fix crash on loading certain ppts
+
+Change-Id: I544a67e3706c7d12414cc075118ef2f0f5ddd0f6
+
+diff --git a/filter/source/msfilter/svdfppt.cxx b/filter/source/msfilter/svdfppt.cxx
+index 47e9f35..f5b7931 100644
+--- a/filter/source/msfilter/svdfppt.cxx
++++ b/filter/source/msfilter/svdfppt.cxx
+@@ -4019,13 +4019,13 @@ PPTStyleSheet::PPTStyleSheet( const DffRecordHeader& rSlideHd, SvStream& rIn, Sd
+             ReadDffRecordHeader( rIn, aTxMasterStyleHd );
+             if ( aTxMasterStyleHd.nRecType == PPT_PST_TxMasterStyleAtom )
+             {
+-                sal_uInt16 nLevelAnz;
+-                rIn.ReadUInt16( nLevelAnz );
++                sal_uInt16 nLevelAnz(0);
++                rIn.ReadUInt16(nLevelAnz);
+ 
+                 sal_uInt16 nLev = 0;
+                 bool bFirst = true;
+                 bFoundTxMasterStyleAtom04 = true;
+-                while ( rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz )
++                while (rIn.GetError() == 0 && rIn.Tell() < aTxMasterStyleHd.GetRecEndFilePos() && nLev < nLevelAnz && nLev < nMaxPPTLevels)
+                 {
+                     if ( nLev )
+                     {
+diff --git a/include/filter/msfilter/svdfppt.hxx b/include/filter/msfilter/svdfppt.hxx
+index def0fd1..bfcea45 100644
+--- a/include/filter/msfilter/svdfppt.hxx
++++ b/include/filter/msfilter/svdfppt.hxx
+@@ -170,6 +170,8 @@ const sal_uInt32 PPTInventor = sal_uInt32('P') * 0x00000001
+                              + sal_uInt32('T') * 0x00010000
+                              + sal_uInt32('0') * 0x01000000;
+ 
++const int nMaxPPTLevels = 5;
++
+ // Object IDs for StarDraw UserData
+ #define PPT_OBJECTINFO_ID       (1)
+ 
+@@ -705,7 +707,7 @@ struct PPTExtParaLevel
+ 
+ struct PPTExtParaSheet
+ {
+-    PPTExtParaLevel aExtParaLevel[ 5 ];
++    PPTExtParaLevel aExtParaLevel[nMaxPPTLevels];
+ };
+ 
+ struct PPTBuGraEntry
+@@ -750,7 +752,7 @@ struct PPTCharLevel
+ 
+ struct PPTCharSheet
+ {
+-    PPTCharLevel    maCharLevel[ 5 ];
++    PPTCharLevel    maCharLevel[nMaxPPTLevels];
+ 
+                     explicit PPTCharSheet( sal_uInt32 nInstance );
+                     PPTCharSheet( const PPTCharSheet& rCharSheet );
+@@ -783,7 +785,7 @@ struct PPTParaSheet
+ {
+ public:
+ 
+-    PPTParaLevel    maParaLevel[ 5 ];
++    PPTParaLevel    maParaLevel[nMaxPPTLevels];
+ 
+                     explicit PPTParaSheet( sal_uInt32 nInstance );
+                     PPTParaSheet( const PPTParaSheet& rParaSheet );
+@@ -988,8 +990,8 @@ struct PPTRuler
+ 
+         sal_Int32           nFlags;
+         sal_uInt16          nDefaultTab;
+-        sal_uInt16          nTextOfs[ 5 ];
+-        sal_uInt16          nBulletOfs[ 5 ];
++        sal_uInt16          nTextOfs[nMaxPPTLevels];
++        sal_uInt16          nBulletOfs[nMaxPPTLevels];
+         PPTTabEntry*        pTab;
+         sal_uInt16          nTabCount;
+ 
+diff --git a/sd/qa/unit/data/ppt/pass/crash-1.ppt b/sd/qa/unit/data/ppt/pass/crash-1.ppt
+new file mode 100644
+index 0000000..5d1a04b
+Binary files /dev/null and b/sd/qa/unit/data/ppt/pass/crash-1.ppt differ
+-- 
+cgit v0.10.2
+
diff --git a/patches/CVE-2017-12608.diff b/patches/CVE-2017-12608.diff
new file mode 100644
index 0000000..a1a44c7
--- /dev/null
+++ b/patches/CVE-2017-12608.diff
@@ -0,0 +1,100 @@
+From: Caolán McNamara <caolanm at redhat.com>
+Date: Fri, 21 Aug 2015 08:52:29 +0000 (+0100)
+Subject: add ww6 test dir and fix a crash
+X-Git-Tag: libreoffice-5.1.0.0.alpha1~3127
+X-Git-Url: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=42a709d1ef647aab9a1c9422b4e25ecaee857aba
+
+add ww6 test dir and fix a crash
+
+Change-Id: Id08176640672095c03e0b124cd65a9dce26ac2db
+---
+
+diff --git a/sw/qa/core/data/ww6/fail/.gitignore b/sw/qa/core/data/ww6/fail/.gitignore
+new file mode 100644
+index 0000000..e69de29
+diff --git a/sw/qa/core/data/ww6/indeterminate/.gitignore b/sw/qa/core/data/ww6/indeterminate/.gitignore
+new file mode 100644
+index 0000000..e69de29
+diff --git a/sw/qa/core/data/ww6/pass/.gitignore b/sw/qa/core/data/ww6/pass/.gitignore
+new file mode 100644
+index 0000000..e69de29
+diff --git a/sw/qa/core/data/ww6/pass/crash-1.doc b/sw/qa/core/data/ww6/pass/crash-1.doc
+new file mode 100644
+index 0000000..3c6f684
+Binary files /dev/null and b/sw/qa/core/data/ww6/pass/crash-1.doc differ
+diff --git a/sw/qa/core/filters-test.cxx b/sw/qa/core/filters-test.cxx
+index 023b50d9a..077a95e 100644
+--- a/sw/qa/core/filters-test.cxx
++++ b/sw/qa/core/filters-test.cxx
+@@ -151,6 +151,10 @@ void SwFiltersTest::testCVEs()
+             getURLFromSrc("/sw/qa/core/data/ww8/"),
+             OUString(FILTER_WW8));
+ 
++    testDir(OUString("MS WinWord 6.0"),
++            getURLFromSrc("/sw/qa/core/data/ww6/"),
++            OUString(sWW6));
++
+     testDir(OUString("MS WinWord 5"),
+             getURLFromSrc("/sw/qa/core/data/ww5/"),
+             OUString(sWW5));
+diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
+index 4885286..a58cf9f 100644
+--- a/sw/source/filter/ww8/ww8par2.cxx
++++ b/sw/source/filter/ww8/ww8par2.cxx
+@@ -4276,6 +4276,14 @@ void WW8RStyle::ImportOldFormatStyles()
+     std::vector< std::vector<sal_uInt8> > aConvertedChpx;
+     while (nByteCount < cbChpx)
+     {
++        if (stcp == aCHPXOffsets.size())
++        {
++            //more data than style slots, skip remainder
++            rSt.SeekRel(cbChpx-nByteCount);
++            nByteCount += cbChpx-nByteCount;
++            break;
++        }
++
+         sal_uInt8 cb;
+         rSt.ReadUChar( cb );
+         nByteCount++;
+@@ -4298,12 +4306,7 @@ void WW8RStyle::ImportOldFormatStyles()
+         else
+             aConvertedChpx.push_back( std::vector<sal_uInt8>() );
+ 
+-        stcp++;
+-        if (stcp == nStyles)
+-    {
+-            rSt.SeekRel(cbChpx-nByteCount);
+-            nByteCount += cbChpx-nByteCount;
+-    }
++        ++stcp;
+     }
+ 
+     std::vector<pxoffset> aPAPXOffsets(stcp);
+@@ -4320,6 +4323,12 @@ void WW8RStyle::ImportOldFormatStyles()
+     stcp=0;
+     while (nByteCount < cbPapx)
+     {
++        if (stcp == aPAPXOffsets.size())
++        {
++            rSt.SeekRel(cbPapx-nByteCount);
++            nByteCount += cbPapx-nByteCount;
++        }
++
+         sal_uInt8 cb;
+         rSt.ReadUChar( cb );
+         nByteCount++;
+@@ -4341,13 +4350,7 @@ void WW8RStyle::ImportOldFormatStyles()
+             nByteCount += nRemainder;
+         }
+ 
+-        stcp++;
+-
+-        if (stcp == nStyles)
+-    {
+-            rSt.SeekRel(cbPapx-nByteCount);
+-            nByteCount += cbPapx-nByteCount;
+-    }
++        ++stcp;
+     }
+ 
+     sal_uInt16 iMac;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git

More information about the Pkg-openoffice-commits mailing list