filter/source/graphicfilter/icgm/class4.cxx | 6 +++---
sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt |binary
sw/source/filter/ww8/ww8scan.cxx | 4 ++--
xmloff/source/style/xmlnumfi.cxx | 5 +++++
4 files changed, 10 insertions(+), 5 deletions(-)
New commits:
commit 7d524cf4f4a656b46973fe5f248444c631dbf7cf
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Aug 28 10:53:42 2017 +0100
ofz#3121 check bounds better
Change-Id: Ib1eacda7e4cdf1d0238532f4e38059a9c30556ac
Reviewed-on: https://gerrit.libreoffice.org/41628
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Michael Stahl <mst...@redhat.com>
(cherry picked from commit b72dee386ac15a7fd6098503772e606c5f059a20)
diff --git a/filter/source/graphicfilter/icgm/class4.cxx
b/filter/source/graphicfilter/icgm/class4.cxx
index ff574c4eece4..e97781d314e7 100644
--- a/filter/source/graphicfilter/icgm/class4.cxx
+++ b/filter/source/graphicfilter/icgm/class4.cxx
@@ -186,7 +186,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 );
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of
input", nullptr);
mpSource[mnParaSize + nSize] = 0;
@@ -224,7 +224,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16(4);
sal_uInt32 nSize = ImplGetUI(1);
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of
input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
@@ -242,7 +242,7 @@ void CGM::ImplDoClass4()
sal_uInt32 nType = ImplGetUI16( 4 );
sal_uInt32 nSize = ImplGetUI( 1 );
- if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) < nSize)
+ if (static_cast<sal_uIntPtr>(mpEndValidSource - (mpSource +
mnParaSize)) <= nSize)
throw css::uno::Exception("attempt to read past end of
input", nullptr);
mpSource[ mnParaSize + nSize ] = 0;
commit 5377233d145df2e158c44090032ea19b02566827
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Aug 28 10:17:56 2017 +0100
ofz#3110 GeneratePLCF only generated word6 sized missing entries
BTE was 2 bytes in word 7- but 4 bytes in word 8+
Change-Id: I24007d26fccc5edc104320bd2eb8f9c62399c988
Reviewed-on: https://gerrit.libreoffice.org/41625
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Michael Stahl <mst...@redhat.com>
(cherry picked from commit 35c07f69a28c24a8561f86ff82387f11a85d368a)
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 0026ade52132..1d51c27a5623 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -2162,7 +2162,7 @@ void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN,
sal_Int32 ncpN)
if (!failure)
{
- size_t nSiz = 6 * nIMax + 4;
+ size_t nSiz = (4 + nStru) * nIMax + 4;
size_t nElems = ( nSiz + 3 ) / 4;
pPLCF_PosArray = new sal_Int32[ nElems ]; // Pointer to Pos-array
@@ -2217,7 +2217,7 @@ void WW8PLCF::GeneratePLCF(SvStream& rSt, sal_Int32 nPN,
sal_Int32 ncpN)
for (sal_Int32 i = 0; i < ncpN; ++i) // construct PNs
{
ShortToSVBT16(static_cast<sal_uInt16>(nPN + i), p);
- p+=2;
+ p += nStru;
}
}
commit 2c410a04c15c21eb025ae5df0f70f63df9757cca
Author: Michael Stahl <mst...@redhat.com>
Date: Thu Aug 24 13:56:35 2017 +0200
tdf#111934 xmloff: ODF import: self-referential conditional style crash
It's invalid input and also causes stack overflow.
(cherry picked from commit 9fe857b7bd126ff4856fc4689d375881653b97a2)
tdf#111934: add document for filters-tests
Thanks to infostu...@gmail.com for the document; unfortunately git
tells me that i can't set the commit author to just an email address.
(cherry picked from commit 6e090b4272b8fa12d2032ff0c0ea4bfb24c0d2d2)
Change-Id: Ie0b9dcaefcfcf254326151f345f4802ed66b994d
Reviewed-on: https://gerrit.libreoffice.org/41535
Tested-by: Jenkins <c...@libreoffice.org>
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit f07bb0fed885f7a13c08f2bc3203e727db7cef1c)
diff --git a/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt
b/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt
new file mode 100644
index 000000000000..7d823df75213
Binary files /dev/null and
b/sw/qa/core/data/odt/fail/82fff64a-0a21-4b09-bbdc-2914a5a150f0.odt differ
diff --git a/xmloff/source/style/xmlnumfi.cxx b/xmloff/source/style/xmlnumfi.cxx
index ccd8158ead14..85c6cfe47289 100644
--- a/xmloff/source/style/xmlnumfi.cxx
+++ b/xmloff/source/style/xmlnumfi.cxx
@@ -1692,6 +1692,11 @@ sal_Int32
SvXMLNumFormatContext::CreateAndInsert(SvNumberFormatter* pFormatter)
{
SvXMLNumFormatContext* pStyle = const_cast<SvXMLNumFormatContext*>(
static_cast<const SvXMLNumFormatContext *>(pStyles->FindStyleChildContext(
XML_STYLE_FAMILY_DATA_STYLE, aMyConditions[i].sMapName)));
+ if (this == pStyle)
+ {
+ SAL_INFO("xmloff.style", "invalid style:map references containing
style");
+ pStyle = nullptr;
+ }
if (pStyle)
{
if ((pStyle->PrivateGetKey() > -1)) // don't reset pStyle's
bRemoveAfterUse flag
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
