Rebased ref, commits from common ancestor:
commit c6934ee58f89941c9a0c6005980b123f18f5c275
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Nov 1 17:34:23 2021 +0000
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Sun Feb 20 11:34:53 2022 +0100
ofz#40593 remove Objects from m_xResizeDrawObjects if deleted during parse
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124563
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 2f01faaf88b6d172d7293f0c9e2a061d99b8ceb5)
fix misplaced line
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124630
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit 4ed359093c991291216c39cffe14a60e607ec551)
Change-Id: I11fa665175ef067a36f4822676c02d4df1e1e250
diff --git a/sw/qa/core/data/html/pass/ofz40593-1.html
b/sw/qa/core/data/html/pass/ofz40593-1.html
new file mode 100644
index 000000000000..43510d5d00b2
Binary files /dev/null and b/sw/qa/core/data/html/pass/ofz40593-1.html differ
diff --git a/sw/source/filter/html/htmltab.cxx
b/sw/source/filter/html/htmltab.cxx
index 4326e66cc029..749430cd6e3b 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -34,6 +34,7 @@
#include <svtools/htmlkywd.hxx>
#include <svl/urihelper.hxx>
#include <svl/listener.hxx>
+#include <svx/sdrobjectuser.hxx>
#include <sal/log.hxx>
#include <dcontact.hxx>
@@ -379,7 +380,7 @@ public:
// HTML table
typedef std::vector<SdrObject *> SdrObjects;
-class HTMLTable
+class HTMLTable : public sdr::ObjectUser
{
OUString m_aId;
OUString m_aStyle;
@@ -527,6 +528,8 @@ private:
sal_uInt16 GetBorderWidth( const SvxBorderLine& rBLine,
bool bWithDistance=false ) const;
+ virtual void ObjectInDestruction(const SdrObject& rObject) override;
+
public:
bool m_bFirstCell; // is there a cell created already?
@@ -536,7 +539,7 @@ public:
bool bHasToFly,
const HTMLTableOptions& rOptions);
- ~HTMLTable();
+ virtual ~HTMLTable();
// Identifying of a cell
const HTMLTableCell& GetCell(sal_uInt16 nRow, sal_uInt16 nCell) const;
@@ -1070,11 +1073,33 @@ bool SwHTMLParser::IsReqIF() const
return m_bReqIF;
}
+// if any m_pResizeDrawObjects members are deleted during parse, remove them
+// from m_pResizeDrawObjects and m_pDrawObjectPrcWidths
+void HTMLTable::ObjectInDestruction(const SdrObject& rObject)
+{
+ auto it = std::find(m_pResizeDrawObjects->begin(),
m_pResizeDrawObjects->end(), &rObject);
+ assert(it != m_pResizeDrawObjects->end());
+ auto nIndex = std::distance(m_pResizeDrawObjects->begin(), it);
+ m_pResizeDrawObjects->erase(it);
+ auto otherit = m_pDrawObjectPercentWidths->begin() + nIndex * 3;
+ m_pDrawObjectPercentWidths->erase(otherit, otherit + 3);
+}
+
HTMLTable::~HTMLTable()
{
m_pParser->DeregisterHTMLTable(this);
- m_pResizeDrawObjects.reset();
+ if (m_pResizeDrawObjects)
+ {
+ size_t nCount = m_pResizeDrawObjects->size();
+ for (size_t i = 0; i < nCount; ++i)
+ {
+ SdrObject *pObj = (*m_pResizeDrawObjects)[i];
+ pObj->RemoveObjectUser(*this);
+ }
+ m_pResizeDrawObjects.reset();
+ }
+
m_pDrawObjectPercentWidths.reset();
m_pContext.reset();
@@ -2488,6 +2513,7 @@ void HTMLTable::RegisterDrawObject( SdrObject *pObj,
sal_uInt8 nPercentWidth )
if( !m_pResizeDrawObjects )
m_pResizeDrawObjects.reset(new SdrObjects);
m_pResizeDrawObjects->push_back( pObj );
+ pObj->AddObjectUser(*this);
if( !m_pDrawObjectPercentWidths )
m_pDrawObjectPercentWidths.reset(new std::vector<sal_uInt16>);
commit 5053cf92e68cb8329945760270c0d16d88a95d26
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Nov 5 18:33:07 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Sun Feb 20 11:34:53 2022 +0100
icu: add patch for CVE-2021-30535
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124779
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 35eef8ec9b122a761400f3c6590ca1f9a187d772)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124701
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
(cherry picked from commit 105c258fcdd69f617de64b780ffcdb8304ff262c)
Change-Id: I398596f77aa47ab6d4db01b94422262048cffd3e
diff --git a/external/icu/UnpackedTarball_icu.mk
b/external/icu/UnpackedTarball_icu.mk
index 435382fa7988..1a781b59e28d 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -39,6 +39,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
external/icu/icu4c-khmerbreakengine.patch.1 \
external/icu/strict_ansi.patch \
external/icu/icu4c-windows-cygwin-cross.patch.1 \
+ external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 \
+ external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 \
external/icu/icu4c-$(if $(filter ANDROID,$(OS)),android,rpath).patch.1 \
$(if $(filter-out
ANDROID,$(OS)),external/icu/icu4c-icudata-stdlibs.patch.1) \
))
diff --git a/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
new file mode 100644
index 000000000000..1ded56abf524
--- /dev/null
+++ b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
@@ -0,0 +1,94 @@
+From cec7de7a390dd6907b0ea0feb4488ed3934ee71d Mon Sep 17 00:00:00 2001
+From: Frank Tang <ft...@chromium.org>
+Date: Tue, 16 Mar 2021 22:08:29 -0700
+Subject: [PATCH] ICU-21537 Fix invalid free by long locale name
+
+Do not free baseName if it is pointing to fullNameBuffer.
+
+Better Fix
+---
+ icu4c/source/common/locid.cpp | 9 +++++----
+ icu4c/source/test/intltest/collationtest.cpp | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp
+index 5d604350ecd..e16fbb724a4 100644
+--- a/icu4c/source/common/locid.cpp
++++ b/icu4c/source/common/locid.cpp
+@@ -254,7 +254,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(Locale)
+
+ Locale::~Locale()
+ {
+- if (baseName != fullName) {
++ if ((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+@@ -466,7 +466,7 @@ Locale& Locale::operator=(const Locale& other) {
+ }
+
+ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT {
+- if (baseName != fullName) uprv_free(baseName);
++ if ((baseName != fullName) && (baseName != fullNameBuffer))
uprv_free(baseName);
+ if (fullName != fullNameBuffer) uprv_free(fullName);
+
+ if (other.fullName == other.fullNameBuffer) {
+@@ -1850,7 +1850,7 @@ Locale& Locale::init(const char* localeID, UBool
canonicalize)
+ {
+ fIsBogus = FALSE;
+ /* Free our current storage */
+- if (baseName != fullName) {
++ if ((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+@@ -1886,6 +1886,7 @@ Locale& Locale::init(const char* localeID, UBool
canonicalize)
+ uloc_getName(localeID, fullName, sizeof(fullNameBuffer), &err);
+
+ if(err == U_BUFFER_OVERFLOW_ERROR || length >=
(int32_t)sizeof(fullNameBuffer)) {
++ U_ASSERT(baseName == nullptr);
+ /*Go to heap for the fullName if necessary*/
+ fullName = (char *)uprv_malloc(sizeof(char)*(length + 1));
+ if(fullName == 0) {
+@@ -2039,7 +2040,7 @@ Locale::hashCode() const
+ void
+ Locale::setToBogus() {
+ /* Free our current storage */
+- if(baseName != fullName) {
++ if((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+diff --git a/icu4c/source/test/intltest/collationtest.cpp
b/icu4c/source/test/intltest/collationtest.cpp
+index de51eece5c4..4f1fee9375e 100644
+--- a/icu4c/source/test/intltest/collationtest.cpp
++++ b/icu4c/source/test/intltest/collationtest.cpp
+@@ -78,6 +78,7 @@ class CollationTest : public IntlTest {
+ void TestRootElements();
+ void TestTailoredElements();
+ void TestDataDriven();
++ void TestLongLocale();
+
+ private:
+ void checkFCD(const char *name, CollationIterator &ci, CodePointIterator
&cpi);
+@@ -148,6 +149,7 @@ void CollationTest::runIndexedTest(int32_t index, UBool
exec, const char *&name,
+ TESTCASE_AUTO(TestRootElements);
+ TESTCASE_AUTO(TestTailoredElements);
+ TESTCASE_AUTO(TestDataDriven);
++ TESTCASE_AUTO(TestLongLocale);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -1852,4 +1854,12 @@ void CollationTest::TestDataDriven() {
+ }
+ }
+
++void CollationTest::TestLongLocale() {
++ IcuTestErrorCode errorCode(*this, "TestLongLocale");
++ Locale
longLocale("sie__1G_C_CEIE_CEZCX_CSUE_E_EIESZNI2_GB_LM_LMCSUE_LMCSX_"
++ "LVARIANT_MMCSIE_STEU_SU1GCEIE_SU6G_SU6SU6G_U_UBGE_UC_"
++ "UCEZCSI_UCIE_UZSIU_VARIANT_X@collation=bcs-ukvsz");
++ LocalPointer<Collator> coll(Collator::createInstance(longLocale,
errorCode));
++}
++
+ #endif // !UCONFIG_NO_COLLATION
diff --git a/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
new file mode 100644
index 000000000000..4709cd8c37fd
--- /dev/null
+++ b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
@@ -0,0 +1,39 @@
+From e450fa50fc242282551f56b941dc93b9a8a0bcbb Mon Sep 17 00:00:00 2001
+From: Frank Tang <ft...@chromium.org>
+Date: Tue, 13 Apr 2021 15:16:50 -0700
+Subject: [PATCH] ICU-21587 Fix memory bug w/ baseName
+
+Edge cases not fixed in assign and move assign operator
+while the locale is long and call setKeywordValue with incorrect
+keyword/values.
+---
+ icu4c/source/common/locid.cpp | 11 +++++++++--
+ icu4c/source/test/intltest/loctest.cpp | 26 ++++++++++++++++++++++++++
+ icu4c/source/test/intltest/loctest.h | 2 ++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp
+index 02cd82a7b8e..3c6e5b06690 100644
+--- a/icu4c/source/common/locid.cpp
++++ b/icu4c/source/common/locid.cpp
+@@ -469,14 +469,18 @@ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT {
+ if ((baseName != fullName) && (baseName != fullNameBuffer))
uprv_free(baseName);
+ if (fullName != fullNameBuffer) uprv_free(fullName);
+
+- if (other.fullName == other.fullNameBuffer) {
++ if (other.fullName == other.fullNameBuffer || other.baseName ==
other.fullNameBuffer) {
+ uprv_strcpy(fullNameBuffer, other.fullNameBuffer);
++ }
++ if (other.fullName == other.fullNameBuffer) {
+ fullName = fullNameBuffer;
+ } else {
+ fullName = other.fullName;
+ }
+
+- if (other.baseName == other.fullName) {
++ if (other.baseName == other.fullNameBuffer) {
++ baseName = fullNameBuffer;
++ } else if (other.baseName == other.fullName) {
+ baseName = fullName;
+ } else {
+ baseName = other.baseName;
