* Fix WMF security vulnerability

http://www.openoffice.org/servlets/ReadMsg?list=releases&msgNo=10454 http://www.openoffice.org/issues/show_bug.cgi?id=70042 * Bump portrevision Obtained from: security-team@openoffice.org
author: Maho Nakata <maho@FreeBSD.org> 2007-01-08 06:41:02 +0000
committer: Maho Nakata <maho@FreeBSD.org> 2007-01-08 06:41:02 +0000
commit: b6aa79dea1d6402432308f138828495a9d5b3bee (patch)
tree: bf85491f0f3ed6255426e8be387b871983a23e57 /editors/openoffice.org-1.1/files
parent: add libbgpdump 1.4.99.0 (diff)
1 files changed, 170 insertions, 0 deletions
diff --git a/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf
new file mode 100644
index 000000000000..dd89158672cf
--- /dev/null
+++ b/editors/openoffice.org-1.1/files/patch-allocoverflows_wmf
@@ -0,0 +1,170 @@
+Index: source/filter.vcl/wmf/enhwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/enhwmf.cxx,v
+retrieving revision 1.19.106.1
+diff -u -u -r1.19.106.1 enhwmf.cxx
+--- svtools/source/filter.vcl/wmf/enhwmf.cxx	28 Apr 2004 10:25:02 -0000	1.19.106.1
++++ svtools/source/filter.vcl/wmf/enhwmf.cxx	24 Nov 2006 15:01:16 -0000
+@@ -60,6 +60,10 @@
+  ************************************************************************/
+ 
+ #include "winmtf.hxx"
++// some older OOos don't have the macro yet
++#ifndef SAL_MAX_UINT32
++#define SAL_MAX_UINT32 ((sal_uInt32) 0xFFFFFFFF)
++#endif
+ 
+ //=========================== GDI-Array ===================================
+ 
+@@ -385,33 +389,37 @@
+ 				UINT16*	pnPoints;
+ 				Point*	pPtAry;
+ 
+-				INT32	i, nPoly, nGesPoints;
++				UINT32	i, nPoly, nGesPoints;
+ 				pWMF->SeekRel( 0x10 );
+ 
+ 				// Anzahl der Polygone:
+ 				*pWMF >> nPoly >> nGesPoints;
+ 
+-				// Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+-				pnPoints = new UINT16[ nPoly ];
+-
+-				for ( i = 0; i < nPoly; i++ )
++				if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ 				{
+-					*pWMF >> nPoints;
+-					pnPoints[ i ] = (UINT16)nPoints;
+-				}
+-				// Polygonpunkte holen:
+-				pPtAry  = (Point*) new char[ nGesPoints * sizeof(Point) ];
+ 
+-				for ( i = 0; i < nGesPoints; i++ )
+-				{
+-					*pWMF >> nX32 >> nY32;
+-					pPtAry[ i ] = Point( nX32, nY32 );
++					// Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
++					pnPoints = new UINT16[ nPoly ];
++	
++					for ( i = 0; i < nPoly; i++ )
++					{
++						*pWMF >> nPoints;
++						pnPoints[ i ] = (UINT16)nPoints;
++					}
++					// Polygonpunkte holen:
++					pPtAry  = (Point*) new char[ nGesPoints * sizeof(Point) ];
++	
++					for ( i = 0; i < nGesPoints; i++ )
++					{
++						*pWMF >> nX32 >> nY32;
++						pPtAry[ i ] = Point( nX32, nY32 );
++					}
++					// PolyPolygon Actions erzeugen
++					PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++					pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++					delete[] (char*) pPtAry;
++					delete[] pnPoints;
+ 				}
+-				// PolyPolygon Actions erzeugen
+-				PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+-				pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+-				delete[] (char*) pPtAry;
+-				delete[] pnPoints;
+ 			}
+ 			break;
+ 
+@@ -1137,31 +1145,34 @@
+ 				UINT16*	pnPoints;
+ 				Point*	pPtAry;
+ 
+-				INT32	i, nPoly, nGesPoints;
++				UINT32	i, nPoly, nGesPoints;
+ 				pWMF->SeekRel( 0x10 );
+ 				// Anzahl der Polygone:
+ 				*pWMF >> nPoly >> nGesPoints;
+-				// Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
+-				pnPoints = new UINT16[ nPoly ];
+-				for ( i = 0; i < nPoly; i++ )
+-				{
+-					*pWMF >> nPoints;
+-					pnPoints[ i ] = (UINT16)nPoints;
+-				}
+-				// Polygonpunkte holen:
+-				pPtAry  = (Point*) new char[ nGesPoints * sizeof(Point) ];
+-				for ( i = 0; i < nGesPoints; i++ )
++				if (nGesPoints < SAL_MAX_UINT32 / sizeof(Point))
+ 				{
+-					*pWMF >> nX16 >> nY16;
+-					pPtAry[ i ] = Point( nX16, nY16 );
++					// Anzahl der Punkte eines jeden Polygons holen, Gesammtzahl der Punkte ermitteln:
++					pnPoints = new UINT16[ nPoly ];
++					for ( i = 0; i < nPoly; i++ )
++					{
++						*pWMF >> nPoints;
++						pnPoints[ i ] = (UINT16)nPoints;
++					}
++					// Polygonpunkte holen:
++					pPtAry  = (Point*) new char[ nGesPoints * sizeof(Point) ];
++					for ( i = 0; i < nGesPoints; i++ )
++					{
++						*pWMF >> nX16 >> nY16;
++						pPtAry[ i ] = Point( nX16, nY16 );
++					}
++	
++					// PolyPolygon Actions erzeugen
++					PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
++					pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
++					delete[] (char*) pPtAry;
++					delete[] pnPoints;
+ 				}
+-
+-				// PolyPolygon Actions erzeugen
+-				PolyPolygon aPolyPoly( (UINT16)nPoly, pnPoints, pPtAry );
+-				pOut->DrawPolyPolygon( aPolyPoly, bRecordPath );
+-				delete[] (char*) pPtAry;
+-				delete[] pnPoints;
+-			};
++			}
+ 			break;
+ 
+ 			case EMR_FILLRGN :
+Index: source/filter.vcl/wmf/winwmf.cxx
+===================================================================
+RCS file: /cvs/util/svtools/source/filter.vcl/wmf/winwmf.cxx,v
+retrieving revision 1.20.106.1
+diff -u -u -r1.20.106.1 winwmf.cxx
+--- svtools/source/filter.vcl/wmf/winwmf.cxx	28 Apr 2004 10:25:48 -0000	1.20.106.1
++++ svtools/source/filter.vcl/wmf/winwmf.cxx	24 Nov 2006 15:01:16 -0000
+@@ -874,17 +874,21 @@
+ 										aMemoryStream >> aPt.X()
+ 													  >> aPt.Y()
+ 													  >> nStringLen;
+-										sal_Unicode* pBuf = aString.AllocBuffer( (sal_uInt16)nStringLen );
+-										for ( i = 0; i < nStringLen; i++ )
+-											aMemoryStream >> pBuf[ i ];
+-										aMemoryStream >> nDXCount;
+-										if ( nDXCount )
+-											pDXAry = new sal_Int32[ nDXCount ];
+-										for  ( i = 0; i < nDXCount; i++ )
+-											aMemoryStream >> pDXAry[ i ];
+-										aMemoryStream >> nSkipActions;
+-										pOut->DrawText( aPt, aString, pDXAry );
+-										delete[] pDXAry;
++
++										if (nStringLen < STRING_MAXLEN)
++										{
++											sal_Unicode* pBuf = aString.AllocBuffer( (xub_StrLen)nStringLen );
++											for ( i = 0; i < nStringLen; i++ )
++												aMemoryStream >> pBuf[ i ];
++											aMemoryStream >> nDXCount;
++											if ( nDXCount )
++												pDXAry = new sal_Int32[ nDXCount ];
++											for  ( i = 0; i < nDXCount; i++ )
++												aMemoryStream >> pDXAry[ i ];
++											aMemoryStream >> nSkipActions;
++											pOut->DrawText( aPt, aString, pDXAry );
++											delete[] pDXAry;
++										}
+ 									}
+ 								}
+ 								break;
author	Maho Nakata <maho@FreeBSD.org>	2007-01-08 06:41:02 +0000
committer	Maho Nakata <maho@FreeBSD.org>	2007-01-08 06:41:02 +0000
commit	b6aa79dea1d6402432308f138828495a9d5b3bee (patch)
tree	bf85491f0f3ed6255426e8be387b871983a23e57 /editors/openoffice.org-1.1/files
parent	add libbgpdump 1.4.99.0 (diff)