[Libreoffice-commits] core.git: Branch 'distro/vector/vector-7.5' - 5 commits - bin/lo-all-static-libs download.lst external/libwebp RepositoryExternal.mk sc/source

[Caolán McNamara (via logerrit)]

 RepositoryExternal.mk              |    1 +
 bin/lo-all-static-libs             |    1 +
 download.lst                       |    4 ++--
 external/libwebp/Makefile.vc.patch |   28 ++++++++++++++--------------
 sc/source/core/inc/interpre.hxx    |   12 ++++++++++++
 sc/source/core/tool/interpr1.cxx   |    4 ++--
 6 files changed, 32 insertions(+), 18 deletions(-)

New commits:
commit 9b1f35eee108b1872c740f40d4dc2b78acc5422a
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Thu Sep 14 08:23:53 2023 +0100
Commit:     Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 28 10:25:25 2023 +0300

    tdf#157231 CVE-2023-4863 upgrade to libwebp-1.3.2.tar.gz
    
    Change-Id: Ib60466a59069b59fa884654167f33ccc58e59330
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156884
    Tested-by: Jenkins
    Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>

diff --git a/download.lst b/download.lst
index 8fa8d3c03937..45cffd927314 100644
--- a/download.lst
+++ b/download.lst
@@ -330,8 +330,8 @@ LIBTOMMATH_TARBALL := ltm-1.0.zip
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-LIBWEBP_SHA256SUM := 
b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66
-LIBWEBP_TARBALL := libwebp-1.3.1.tar.gz
+LIBWEBP_SHA256SUM := 
2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4
+LIBWEBP_TARBALL := libwebp-1.3.2.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
commit ce98c89f31792602e5d77d0708a295317971b030
Author:     Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sat Jul 1 11:56:32 2023 +0900
Commit:     Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 28 10:25:03 2023 +0300

    upgrade libwebp to 1.3.1
    
    Fixes CVE-2023-1999.
    
    Change-Id: I3d0f5f718242977156729521d14efb1a8d71aee4
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153819
    Tested-by: Jenkins
    Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
    (cherry picked from commit c1fe534ae49e7e97b5965a5d1fbf910598215102)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153836
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>

diff --git a/download.lst b/download.lst
index 47dca2110dca..8fa8d3c03937 100644
--- a/download.lst
+++ b/download.lst
@@ -330,8 +330,8 @@ LIBTOMMATH_TARBALL := ltm-1.0.zip
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-LIBWEBP_SHA256SUM := 
64ac4614db292ae8c5aa26de0295bf1623dbb3985054cb656c55e67431def17c
-LIBWEBP_TARBALL := libwebp-1.3.0.tar.gz
+LIBWEBP_SHA256SUM := 
b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66
+LIBWEBP_TARBALL := libwebp-1.3.1.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
commit 15b2b35c425062b253fd6b826d4dc171a2794330
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Mon Apr 3 12:21:58 2023 +0100
Commit:     Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 28 10:24:54 2023 +0300

    move to libwebp 1.3.0 release
    
    Change-Id: I88205be86e15d9878040958b96dc30043d9eb0b6
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149959
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Signed-off-by: Xisco Fauli <xiscofa...@libreoffice.org>
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150010

diff --git a/download.lst b/download.lst
index 88e8a31f3abf..47dca2110dca 100644
--- a/download.lst
+++ b/download.lst
@@ -330,8 +330,8 @@ LIBTOMMATH_TARBALL := ltm-1.0.zip
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-LIBWEBP_SHA256SUM := 
17fd427d210702a595f08ec619afa2cd3bd323f838ad109666482eac8fff65f0
-LIBWEBP_TARBALL := libwebp-1.3.0-rc1.tar.gz
+LIBWEBP_SHA256SUM := 
64ac4614db292ae8c5aa26de0295bf1623dbb3985054cb656c55e67431def17c
+LIBWEBP_TARBALL := libwebp-1.3.0.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
commit 546a9e2bff8c3ee42736bbfbad3f2de4b61195fb
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Dec 29 20:36:07 2022 +0000
Commit:     Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 28 10:24:46 2023 +0300

    Related: ofz Use-of-uninitialized-value
    
    Change-Id: I2f6e726f713836295603bf7112371aa4aff2c7c0
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/144868
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>
    Signed-off-by: Xisco Fauli <xiscofa...@libreoffice.org>
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150011

diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk
index ad8f0204cd4e..92ea4ba17670 100644
--- a/RepositoryExternal.mk
+++ b/RepositoryExternal.mk
@@ -2693,6 +2693,7 @@ $(call gb_LinkTarget_add_libs,$(1),\
 else
 $(call gb_LinkTarget_add_libs,$(1),\
        -L$(call gb_UnpackedTarball_get_dir,libwebp)/src/.libs -lwebp \
+       -L$(call gb_UnpackedTarball_get_dir,libwebp)/sharpyuv/.libs -lsharpyuv \
 )
 endif
 $(call gb_LinkTarget_use_external_project,$(1),libwebp)
diff --git a/bin/lo-all-static-libs b/bin/lo-all-static-libs
index af4ff25f348b..3db8d803d07a 100755
--- a/bin/lo-all-static-libs
+++ b/bin/lo-all-static-libs
@@ -125,6 +125,7 @@ echo $INSTDIR/$LIBO_LIB_FOLDER/lib*.a \
      $WORKDIR/UnpackedTarball/libvisio/src/lib/.libs/*.a \
      $WORKDIR/UnpackedTarball/libtiff/libtiff/.libs/*.a \
      $WORKDIR/UnpackedTarball/libwebp/src/.libs/*.a \
+     $WORKDIR/UnpackedTarball/libwebp/sharpyuv/.libs/*.a \
      $WORKDIR/UnpackedTarball/libwp?/src/lib/.libs/*.a \
      $WORKDIR/UnpackedTarball/raptor/src/.libs/*.a \
      $WORKDIR/UnpackedTarball/rasqal/src/.libs/*.a \
diff --git a/download.lst b/download.lst
index 253fefbf919d..88e8a31f3abf 100644
--- a/download.lst
+++ b/download.lst
@@ -330,8 +330,8 @@ LIBTOMMATH_TARBALL := ltm-1.0.zip
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-LIBWEBP_SHA256SUM := 
7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df
-LIBWEBP_TARBALL := libwebp-1.2.4.tar.gz
+LIBWEBP_SHA256SUM := 
17fd427d210702a595f08ec619afa2cd3bd323f838ad109666482eac8fff65f0
+LIBWEBP_TARBALL := libwebp-1.3.0-rc1.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
diff --git a/external/libwebp/Makefile.vc.patch 
b/external/libwebp/Makefile.vc.patch
index f13c12410e46..41c899921a1c 100644
--- a/external/libwebp/Makefile.vc.patch
+++ b/external/libwebp/Makefile.vc.patch
@@ -1,7 +1,7 @@
 --- Makefile.vc.sav    2021-07-30 00:55:37.000000000 +0200
 +++ Makefile.vc        2022-01-25 17:35:30.206117700 +0100
-@@ -7,11 +7,11 @@
- LIBWEBPDEMUX_BASENAME = libwebpdemux
+@@ -8,11 +8,11 @@
+ LIBSHARPYUV_BASENAME = libsharpyuv
  
  !IFNDEF ARCH
 -!IF ! [ cl 2>&1 | find "x86" > NUL ]
@@ -15,7 +15,7 @@
  ARCH = ARM
  !ELSE
  !ERROR Unable to auto-detect toolchain architecture! \
-@@ -27,8 +27,8 @@
+@@ -28,8 +28,8 @@
  ## Nothing more to do below this line!
  
  NOLOGO     = /nologo
@@ -35,7 +35,7 @@
  DIROBJ = $(DIRBASE)\obj
  DIRLIB = $(DIRBASE)\lib
  DIRINC = $(DIRBASE)\include
-@@ -86,10 +86,10 @@
+@@ -87,10 +87,10 @@
  
  # Target configuration
  !IF "$(CFG)" == "release-static"
@@ -48,9 +48,9 @@
  RTLIB          = $(RTLIBD)
  STATICLIBBUILD = TRUE
  LIBWEBPDECODER_BASENAME = $(LIBWEBPDECODER_BASENAME)_debug
-@@ -97,11 +97,11 @@
- LIBWEBPMUX_BASENAME = $(LIBWEBPMUX_BASENAME)_debug
+@@ -99,11 +99,11 @@
  LIBWEBPDEMUX_BASENAME = $(LIBWEBPDEMUX_BASENAME)_debug
+ LIBSHARPYUV_BASENAME = $(LIBSHARPYUV_BASENAME)_debug
  !ELSE IF "$(CFG)" == "release-dynamic"
 -CC        = $(CCNODBG)
 +CC_        = $(CCNODBG)
@@ -62,7 +62,7 @@
  RC        = $(RCDEBUG)
  RTLIB     = $(RTLIBD)
  DLLBUILD  = TRUE
-@@ -112,7 +112,7 @@
+@@ -115,7 +115,7 @@
  !ENDIF
  
  !IF "$(STATICLIBBUILD)" == "TRUE"
@@ -71,25 +71,25 @@
  CFGSET = TRUE
  LIBWEBPDECODER = $(DIRLIB)\$(LIBWEBPDECODER_BASENAME).lib
  LIBWEBP = $(DIRLIB)\$(LIBWEBP_BASENAME).lib
-@@ -120,7 +120,7 @@
+@@ -123,7 +123,7 @@
  LIBWEBPDEMUX = $(DIRLIB)\$(LIBWEBPDEMUX_BASENAME).lib
+ LIBSHARPYUV = $(DIRLIB)\$(LIBSHARPYUV_BASENAME).lib
  !ELSE IF "$(DLLBUILD)" == "TRUE"
- DLLINC = webp_dll.h
--CC     = $(CC) /I$(DIROBJ) /FI$(DLLINC) $(RTLIB) /DWEBP_DLL
-+CC_     = $(CC_) /I$(DIROBJ) /FI$(DLLINC) $(RTLIB) /DWEBP_DLL
+-CC     = $(CC) /I$(DIROBJ) $(RTLIB) /DWEBP_DLL
++CC_     = $(CC_) /I$(DIROBJ) $(RTLIB) /DWEBP_DLL
  LIBWEBPDECODER = $(DIRLIB)\$(LIBWEBPDECODER_BASENAME)_dll.lib
  LIBWEBP = $(DIRLIB)\$(LIBWEBP_BASENAME)_dll.lib
  LIBWEBPMUX = $(DIRLIB)\$(LIBWEBPMUX_BASENAME)_dll.lib
-@@ -421,7 +421,7 @@
-     $(DIROBJ)\$(DLLINC)
+@@ -434,7 +434,7 @@
  
+ !IF "$(DLLBUILD)" == "TRUE"
  {$(DIROBJ)}.c{$(DIROBJ)}.obj:
 -      $(CC) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$@  $<
 +      $(CC_) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$@  $<
  
  {src}.rc{$(DIROBJ)}.res:
        $(RC) /fo$@ $<
-@@ -469,41 +469,41 @@
+@@ -467,41 +467,41 @@
  # File-specific flag builds. Note batch rules take precedence over wildcards,
  # so for now name each file individually.
  $(DIROBJ)\examples\anim_diff.obj: examples\anim_diff.c
commit 9ebabbd7f5b157c9644ce7f01c4c683184a50ba6
Author:     Eike Rathke <er...@redhat.com>
AuthorDate: Fri Feb 17 12:03:54 2023 +0100
Commit:     Mike Kaganski <mike.kagan...@collabora.com>
CommitDate: Thu Sep 28 10:15:53 2023 +0300

    Stack check safety belt before fishing in muddy waters
    
    Have it hit hard in debug builds.
    
    Change-Id: I9ea54844a0661fd7a75616a2876983a74b2d5bad
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147205
    Reviewed-by: Eike Rathke <er...@redhat.com>
    Tested-by: Jenkins
    (cherry picked from commit 9d91fbba6f374fa1c10b38eae003da89bd4e6d4b)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147244
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/sc/source/core/inc/interpre.hxx b/sc/source/core/inc/interpre.hxx
index 85d2955003af..a6bd98320f71 100644
--- a/sc/source/core/inc/interpre.hxx
+++ b/sc/source/core/inc/interpre.hxx
@@ -221,6 +221,7 @@ private:
     inline bool MustHaveParamCount( short nAct, short nMust );
     inline bool MustHaveParamCount( short nAct, short nMust, short nMax );
     inline bool MustHaveParamCountMin( short nAct, short nMin );
+    inline bool MustHaveParamCountMinWithStackCheck( short nAct, short nMin );
     void PushParameterExpected();
     void PushIllegalParameter();
     void PushIllegalArgument();
@@ -1074,6 +1075,17 @@ inline bool ScInterpreter::MustHaveParamCountMin( short 
nAct, short nMin )
     return false;
 }
 
+inline bool ScInterpreter::MustHaveParamCountMinWithStackCheck( short nAct, 
short nMin )
+{
+    assert(sp >= nAct);
+    if (sp < nAct)
+    {
+        PushParameterExpected();
+        return false;
+    }
+    return MustHaveParamCountMin( nAct, nMin);
+}
+
 inline bool ScInterpreter::CheckStringPositionArgument( double & fVal )
 {
     if (!std::isfinite( fVal))
diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
index d82acb37494c..405d9fe00023 100644
--- a/sc/source/core/tool/interpr1.cxx
+++ b/sc/source/core/tool/interpr1.cxx
@@ -7643,7 +7643,7 @@ void ScInterpreter::ScVLookup()
 void ScInterpreter::ScSubTotal()
 {
     sal_uInt8 nParamCount = GetByte();
-    if ( !MustHaveParamCountMin( nParamCount, 2 ) )
+    if ( !MustHaveParamCountMinWithStackCheck( nParamCount, 2 ) )
         return;
 
     // We must fish the 1st parameter deep from the stack! And push it on top.
@@ -7690,7 +7690,7 @@ void ScInterpreter::ScSubTotal()
 void ScInterpreter::ScAggregate()
 {
     sal_uInt8 nParamCount = GetByte();
-    if ( !MustHaveParamCountMin( nParamCount, 3 ) )
+    if ( !MustHaveParamCountMinWithStackCheck( nParamCount, 3 ) )
         return;
 
     const FormulaError nErr = nGlobalError;