diff --git a/SOURCES/0001-LinkUpdateMode-is-a-global-setting.patch b/SOURCES/0001-LinkUpdateMode-is-a-global-setting.patch new file mode 100644 index 0000000..13aaa10 --- /dev/null +++ b/SOURCES/0001-LinkUpdateMode-is-a-global-setting.patch @@ -0,0 +1,261 @@ +From 089026b255697b45c606a7a86d96995fbaa7c8f7 Mon Sep 17 00:00:00 2001 +From: Stephan Bergmann +Date: Tue, 23 Jun 2015 08:26:36 +0200 +Subject: [PATCH 1/4] LinkUpdateMode is a global setting + +(cherry picked from commit 77cc71476bae2b3655102e2c29d36af40a393201) +Conflicts: + sw/source/core/doc/DocumentLinksAdministrationManager.cxx + sw/source/filter/xml/xmlimp.cxx + +Reviewed-on: https://gerrit.libreoffice.org/16422 +Reviewed-by: Miklos Vajna +Tested-by: Miklos Vajna +(cherry picked from commit 8110d0c3cd79339d1d01b8ab2b11bee72551f083) + +Change-Id: Ida1257337c6e0916f2228fe053d9c9f085183af6 +--- + include/unotools/securityoptions.hxx | 2 + + sc/source/filter/xml/xmlimprt.cxx | 10 +++- + sc/source/ui/docshell/docsh4.cxx | 18 +++++-- + sw/source/core/doc/docnew.cxx | 10 ++++ + sw/source/filter/xml/xmlimp.cxx | 78 +++++++++++++++--------------- + unotools/source/config/securityoptions.cxx | 8 +++ + 6 files changed, 84 insertions(+), 42 deletions(-) + +diff --git a/include/unotools/securityoptions.hxx b/include/unotools/securityoptions.hxx +index 3bd8807..77e4720 100644 +--- a/include/unotools/securityoptions.hxx ++++ b/include/unotools/securityoptions.hxx +@@ -186,6 +186,8 @@ class UNOTOOLS_DLLPUBLIC SAL_WARN_UNUSED SvtSecurityOptions : public utl::detail + */ + bool isTrustedLocationUri(OUString const & uri) const; + ++ bool isTrustedLocationUriForUpdatingLinks(OUString const & uri) const; ++ + ::com::sun::star::uno::Sequence< Certificate > GetTrustedAuthors ( ) const; + void SetTrustedAuthors ( const ::com::sun::star::uno::Sequence< Certificate >& rAuthors ); + +diff --git a/sc/source/filter/xml/xmlimprt.cxx b/sc/source/filter/xml/xmlimprt.cxx +index a3fb7d5..bf1beeb 100644 +--- a/sc/source/filter/xml/xmlimprt.cxx ++++ b/sc/source/filter/xml/xmlimprt.cxx +@@ -2630,6 +2630,9 @@ void ScXMLImport::SetConfigurationSettings(const uno::Sequence aFilteredProps( ++ aConfigProps.getLength()); ++ sal_Int32 nFilteredPropsLen = 0; + for (sal_Int32 i = nCount - 1; i >= 0; --i) + { + if (aConfigProps[i].Name == sCTName) +@@ -2664,11 +2667,16 @@ void ScXMLImport::SetConfigurationSettings(const uno::SequencesetPropertyValue( aConfigProps[i].Name, aConfigProps[i].Value ); + } + } ++ if (aConfigProps[i].Name != "LinkUpdateMode") ++ { ++ aFilteredProps[nFilteredPropsLen++] = aConfigProps[i]; ++ } + } ++ aFilteredProps.realloc(nFilteredPropsLen); + uno::Reference xInterface = xMultiServiceFactory->createInstance("com.sun.star.comp.SpreadsheetSettings"); + uno::Reference xProperties(xInterface, uno::UNO_QUERY); + if (xProperties.is()) +- SvXMLUnitConverter::convertPropertySet(xProperties, aConfigProps); ++ SvXMLUnitConverter::convertPropertySet(xProperties, aFilteredProps); + } + } + } +diff --git a/sc/source/ui/docshell/docsh4.cxx b/sc/source/ui/docshell/docsh4.cxx +index 13855e6..3961186 100644 +--- a/sc/source/ui/docshell/docsh4.cxx ++++ b/sc/source/ui/docshell/docsh4.cxx +@@ -48,6 +48,7 @@ using namespace ::com::sun::star; + #include + #include + #include ++#include + + #include + #include "docuno.hxx" +@@ -423,12 +424,23 @@ void ScDocShell::Execute( SfxRequest& rReq ) + + if (nCanUpdate == com::sun::star::document::UpdateDocMode::NO_UPDATE) + nSet = LM_NEVER; +- else if (nCanUpdate == com::sun::star::document::UpdateDocMode::QUIET_UPDATE && +- nSet == LM_ON_DEMAND) +- nSet = LM_NEVER; + else if (nCanUpdate == com::sun::star::document::UpdateDocMode::FULL_UPDATE) + nSet = LM_ALWAYS; + ++ if (nSet == LM_ALWAYS ++ && !(SvtSecurityOptions() ++ .isTrustedLocationUriForUpdatingLinks( ++ GetMedium() == 0 ++ ? OUString() : GetMedium()->GetName()))) ++ { ++ nSet = LM_ON_DEMAND; ++ } ++ if (nCanUpdate == css::document::UpdateDocMode::QUIET_UPDATE ++ && nSet == LM_ON_DEMAND) ++ { ++ nSet = LM_NEVER; ++ } ++ + if(nSet==LM_ON_DEMAND) + { + QueryBox aBox( GetActiveDialogParent(), WinBits(WB_YES_NO | WB_DEF_YES), +diff --git a/sw/source/core/doc/docnew.cxx b/sw/source/core/doc/docnew.cxx +index d42dd9f..86447aa 100644 +--- a/sw/source/core/doc/docnew.cxx ++++ b/sw/source/core/doc/docnew.cxx +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -889,6 +890,15 @@ void SwDoc::UpdateLinks( bool bUI ) + case document::UpdateDocMode::QUIET_UPDATE:bAskUpdate = false; break; + case document::UpdateDocMode::FULL_UPDATE: bAskUpdate = true; break; + } ++ if (nLinkMode == AUTOMATIC && !bAskUpdate) ++ { ++ SfxMedium * medium = GetDocShell()->GetMedium(); ++ if (!SvtSecurityOptions().isTrustedLocationUriForUpdatingLinks( ++ medium == 0 ? OUString() : medium->GetName())) ++ { ++ bAskUpdate = true; ++ } ++ } + if( bUpdate && (bUI || !bAskUpdate) ) + { + SfxMedium* pMedium = GetDocShell()->GetMedium(); +diff --git a/sw/source/filter/xml/xmlimp.cxx b/sw/source/filter/xml/xmlimp.cxx +index b04cfbd..2636c95 100644 +--- a/sw/source/filter/xml/xmlimp.cxx ++++ b/sw/source/filter/xml/xmlimp.cxx +@@ -1075,46 +1075,46 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC + if( !xInfo.is() ) + return; + +- boost::unordered_set< OUString, OUStringHash > aSet; +- aSet.insert("ForbiddenCharacters"); +- aSet.insert("IsKernAsianPunctuation"); +- aSet.insert("CharacterCompressionType"); +- aSet.insert("LinkUpdateMode"); +- aSet.insert("FieldAutoUpdate"); +- aSet.insert("ChartAutoUpdate"); +- aSet.insert("AddParaTableSpacing"); +- aSet.insert("AddParaTableSpacingAtStart"); +- aSet.insert("PrintAnnotationMode"); +- aSet.insert("PrintBlackFonts"); +- aSet.insert("PrintControls"); +- aSet.insert("PrintDrawings"); +- aSet.insert("PrintGraphics"); +- aSet.insert("PrintLeftPages"); +- aSet.insert("PrintPageBackground"); +- aSet.insert("PrintProspect"); +- aSet.insert("PrintReversed"); +- aSet.insert("PrintRightPages"); +- aSet.insert("PrintFaxName"); +- aSet.insert("PrintPaperFromSetup"); +- aSet.insert("PrintTables"); +- aSet.insert("PrintSingleJobs"); +- aSet.insert("UpdateFromTemplate"); +- aSet.insert("PrinterIndependentLayout"); +- aSet.insert("PrintEmptyPages"); +- aSet.insert("SmallCapsPercentage66"); +- aSet.insert("TabOverflow"); +- aSet.insert("UnbreakableNumberings"); +- aSet.insert("ClippedPictures"); +- aSet.insert("BackgroundParaOverDrawings"); +- aSet.insert("TabOverMargin"); +- aSet.insert("PropLineSpacingShrinksFirstLine"); ++ boost::unordered_set< OUString, OUStringHash > aExcludeAlways; ++ aExcludeAlways.insert("LinkUpdateMode"); ++ boost::unordered_set< OUString, OUStringHash > aExcludeWhenNotLoadingUserSettings; ++ aExcludeWhenNotLoadingUserSettings.insert("ForbiddenCharacters"); ++ aExcludeWhenNotLoadingUserSettings.insert("IsKernAsianPunctuation"); ++ aExcludeWhenNotLoadingUserSettings.insert("CharacterCompressionType"); ++ aExcludeWhenNotLoadingUserSettings.insert("FieldAutoUpdate"); ++ aExcludeWhenNotLoadingUserSettings.insert("ChartAutoUpdate"); ++ aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacing"); ++ aExcludeWhenNotLoadingUserSettings.insert("AddParaTableSpacingAtStart"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintAnnotationMode"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintBlackFonts"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintControls"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintDrawings"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintGraphics"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintLeftPages"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintPageBackground"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintProspect"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintReversed"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintRightPages"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintFaxName"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintPaperFromSetup"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintTables"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintSingleJobs"); ++ aExcludeWhenNotLoadingUserSettings.insert("UpdateFromTemplate"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrinterIndependentLayout"); ++ aExcludeWhenNotLoadingUserSettings.insert("PrintEmptyPages"); ++ aExcludeWhenNotLoadingUserSettings.insert("SmallCapsPercentage66"); ++ aExcludeWhenNotLoadingUserSettings.insert("TabOverflow"); ++ aExcludeWhenNotLoadingUserSettings.insert("UnbreakableNumberings"); ++ aExcludeWhenNotLoadingUserSettings.insert("ClippedPictures"); ++ aExcludeWhenNotLoadingUserSettings.insert("BackgroundParaOverDrawings"); ++ aExcludeWhenNotLoadingUserSettings.insert("TabOverMargin"); ++ aExcludeWhenNotLoadingUserSettings.insert("PropLineSpacingShrinksFirstLine"); + + sal_Int32 nCount = aConfigProps.getLength(); + const PropertyValue* pValues = aConfigProps.getConstArray(); + + SvtSaveOptions aSaveOpt; +- bool bIsUserSetting = aSaveOpt.IsLoadUserSettings(), +- bSet = bIsUserSetting; ++ bool bIsUserSetting = aSaveOpt.IsLoadUserSettings(); + + // for some properties we don't want to use the application + // default if they're missing. So we watch for them in the loop +@@ -1150,10 +1150,12 @@ void SwXMLImport::SetConfigurationSettings(const Sequence < PropertyValue > & aC + + while( nCount-- ) + { +- if( !bIsUserSetting ) ++ bool bSet = aExcludeAlways.find(pValues->Name) == aExcludeAlways.end(); ++ if( bSet && !bIsUserSetting ++ && (aExcludeWhenNotLoadingUserSettings.find(pValues->Name) ++ != aExcludeWhenNotLoadingUserSettings.end()) ) + { +- // test over the hash value if the entry is in the table. +- bSet = aSet.find(pValues->Name) == aSet.end(); ++ bSet = false; + } + + if( bSet ) +diff --git a/unotools/source/config/securityoptions.cxx b/unotools/source/config/securityoptions.cxx +index 7906ed7..86055c5 100644 +--- a/unotools/source/config/securityoptions.cxx ++++ b/unotools/source/config/securityoptions.cxx +@@ -1051,6 +1051,14 @@ bool SvtSecurityOptions::isTrustedLocationUri(OUString const & uri) const { + return false; + } + ++bool SvtSecurityOptions::isTrustedLocationUriForUpdatingLinks( ++ OUString const & uri) const ++{ ++ return GetMacroSecurityLevel() == 0 || uri.isEmpty() ++ || uri.startsWithIgnoreAsciiCase("private:") ++ || isTrustedLocationUri(uri); ++} ++ + sal_Int32 SvtSecurityOptions::GetMacroSecurityLevel() const + { + MutexGuard aGuard( GetInitMutex() ); +-- +2.5.0 + diff --git a/SOURCES/0002-coverity-1266485-Untrusted-value-as-argument.patch b/SOURCES/0002-coverity-1266485-Untrusted-value-as-argument.patch new file mode 100644 index 0000000..519d081 --- /dev/null +++ b/SOURCES/0002-coverity-1266485-Untrusted-value-as-argument.patch @@ -0,0 +1,93 @@ +From 614d84a00890fae37f89b39c7d3e2e02508ab5c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 26 Jan 2015 11:26:41 +0000 +Subject: [PATCH 2/4] coverity#1266485 Untrusted value as argument + +Change-Id: I7708ecaf5412535055584ed6c71beaa9cd71c10c +(cherry picked from commit 0934ed1a40c59c169354b177d7dab4228de66171) + +min legal size here is > 4 + +(cherry picked from commit 3131205c05a3fde4ef1e3322cc48ca23c443f6d3) + +Change-Id: I9f68d000b32623db4d949d13284043630f5689f4 +(cherry picked from commit 964000d415bcf491704dad57aee7e0656ea60dab) +Reviewed-on: https://gerrit.libreoffice.org/16983 +Reviewed-by: David Tardon +Tested-by: David Tardon +(cherry picked from commit 81d1123ac317d9dad9872a9d2feda8cc6bd32492) +--- + vcl/source/gdi/jobset.cxx | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/vcl/source/gdi/jobset.cxx b/vcl/source/gdi/jobset.cxx +index ec1f44f..c67255e 100644 +--- a/vcl/source/gdi/jobset.cxx ++++ b/vcl/source/gdi/jobset.cxx +@@ -218,19 +218,24 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) + DBG_ASSERTWARNING( rIStream.GetVersion(), "JobSetup::>> - Solar-Version not set on rOStream" ); + + { +- sal_Size nFirstPos = rIStream.Tell(); +- + sal_uInt16 nLen = 0; + rIStream.ReadUInt16( nLen ); +- if ( !nLen ) ++ if (nLen <= 4) + return rIStream; + + sal_uInt16 nSystem = 0; + rIStream.ReadUInt16( nSystem ); +- +- boost::scoped_array pTempBuf(new char[nLen]); +- rIStream.Read( pTempBuf.get(), nLen - sizeof( nLen ) - sizeof( nSystem ) ); +- if ( nLen >= sizeof(ImplOldJobSetupData)+4 ) ++ const size_t nRead = nLen - sizeof(nLen) - sizeof(nSystem); ++ if (nRead > rIStream.remainingSize()) ++ { ++ SAL_WARN("vcl", "Parsing error: " << rIStream.remainingSize() << ++ " max possible entries, but " << nRead << " claimed, truncating"); ++ return rIStream; ++ } ++ sal_Size nFirstPos = rIStream.Tell(); ++ boost::scoped_array pTempBuf(new char[nRead]); ++ rIStream.Read(pTempBuf.get(), nRead); ++ if (nRead >= sizeof(ImplOldJobSetupData)) + { + ImplOldJobSetupData* pData = (ImplOldJobSetupData*)pTempBuf.get(); + if ( rJobSetup.mpData ) +@@ -255,7 +260,7 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) + nSystem == JOBSET_FILE605_SYSTEM ) + { + Impl364JobSetupData* pOldJobData = (Impl364JobSetupData*)(pTempBuf.get() + sizeof( ImplOldJobSetupData )); +- sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize ); ++ sal_uInt16 nOldJobDataSize = SVBT16ToShort( pOldJobData->nSize ); + pJobData->mnSystem = SVBT16ToShort( pOldJobData->nSystem ); + pJobData->mnDriverDataLen = SVBT32ToUInt32( pOldJobData->nDriverDataLen ); + pJobData->meOrientation = (Orientation)SVBT16ToShort( pOldJobData->nOrientation ); +@@ -272,8 +277,8 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) + } + if( nSystem == JOBSET_FILE605_SYSTEM ) + { +- rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + 4 + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); +- while( rIStream.Tell() < nFirstPos + nLen ) ++ rIStream.Seek( nFirstPos + sizeof( ImplOldJobSetupData ) + sizeof( Impl364JobSetupData ) + pJobData->mnDriverDataLen ); ++ while( rIStream.Tell() < nFirstPos + nRead ) + { + OUString aKey = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8); + OUString aValue = read_uInt16_lenPrefixed_uInt8s_ToOUString(rIStream, RTL_TEXTENCODING_UTF8); +@@ -291,9 +296,9 @@ SvStream& ReadJobSetup( SvStream& rIStream, JobSetup& rJobSetup ) + else + pJobData->maValueMap[ aKey ] = aValue; + } +- DBG_ASSERT( rIStream.Tell() == nFirstPos+nLen, "corrupted job setup" ); ++ DBG_ASSERT( rIStream.Tell() == nFirstPos+nRead, "corrupted job setup" ); + // ensure correct stream position +- rIStream.Seek( nFirstPos + nLen ); ++ rIStream.Seek(nFirstPos + nRead); + } + } + } +-- +2.5.0 + diff --git a/SOURCES/0003-ww8-make-sure-we-don-t-wrap-around.patch b/SOURCES/0003-ww8-make-sure-we-don-t-wrap-around.patch new file mode 100644 index 0000000..8e3daf5 --- /dev/null +++ b/SOURCES/0003-ww8-make-sure-we-don-t-wrap-around.patch @@ -0,0 +1,34 @@ +From 96f39ec02da9f29f9087f3072a184b38c95813dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Mon, 13 Jul 2015 10:31:30 +0100 +Subject: [PATCH 3/4] ww8: make sure we don't wrap around + +Change-Id: I667bb264f92024b72f230c2ddbba3887471345f2 +(cherry picked from commit 755b9320c81948358a1d4104c8875594b5700d39) +Reviewed-on: https://gerrit.libreoffice.org/16981 +Reviewed-by: David Tardon +Tested-by: David Tardon +(cherry picked from commit 9f0044e16a42930d447f63e6129e9979f5e186ec) +--- + sw/source/filter/ww8/ww8scan.cxx | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx +index fceb5c3..f9f88a3 100644 +--- a/sw/source/filter/ww8/ww8scan.cxx ++++ b/sw/source/filter/ww8/ww8scan.cxx +@@ -1540,7 +1540,11 @@ WW8PLCFpcd* WW8ScannerBase::OpenPieceTable( SvStream* pStr, const WW8Fib* pWwF ) + if( 2 == clxt ) // PLCFfpcd ? + break; // PLCFfpcd gefunden + if( 1 == clxt ) // clxtGrpprl ? ++ { ++ if (nGrpprl == SHRT_MAX) ++ return NULL; + nGrpprl++; ++ } + sal_uInt16 nLen(0); + pStr->ReadUInt16( nLen ); + nLeft -= 2 + nLen; +-- +2.5.0 + diff --git a/SOURCES/0004-convert-pStatus-to-vector-and-use-at-to-check-offset.patch b/SOURCES/0004-convert-pStatus-to-vector-and-use-at-to-check-offset.patch new file mode 100644 index 0000000..9d45f2b --- /dev/null +++ b/SOURCES/0004-convert-pStatus-to-vector-and-use-at-to-check-offset.patch @@ -0,0 +1,90 @@ +From 694cc3d7e392021c5e3d6ab4522a7b1d836fef48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Thu, 13 Aug 2015 10:58:06 +0100 +Subject: [PATCH 4/4] convert pStatus to vector and use at to check offsets + +(cherry picked from commit ea70088895ed45dc60abf18319acc1b4fa3018dd) + +Change-Id: I5186f6a65bb9d5ed8a0d1ab1d71f7e2c13865411 +Reviewed-on: https://gerrit.libreoffice.org/17695 +Reviewed-by: David Tardon +Tested-by: David Tardon +(cherry picked from commit 92c3a5b80ac575e1c538894b7c1a4170093785b5) +--- + sw/source/filter/ww8/ww8scan.cxx | 18 +++++++++--------- + sw/source/filter/ww8/ww8scan.hxx | 4 ++-- + 2 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx +index f9f88a3..2d010e0 100644 +--- a/sw/source/filter/ww8/ww8scan.cxx ++++ b/sw/source/filter/ww8/ww8scan.cxx +@@ -3941,7 +3941,7 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen + } + + WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib) +- : WW8PLCFx(rFib.GetFIBVersion(), false), pStatus(0), nIsEnd(0), nBookmarkId(1) ++ : WW8PLCFx(rFib.GetFIBVersion(), false), nIsEnd(0), nBookmarkId(1) + { + if( !rFib.fcPlcfbkf || !rFib.lcbPlcfbkf || !rFib.fcPlcfbkl || + !rFib.lcbPlcfbkl || !rFib.fcSttbfbkmk || !rFib.lcbSttbfbkmk ) +@@ -3966,14 +3966,12 @@ WW8PLCFx_Book::WW8PLCFx_Book(SvStream* pTblSt, const WW8Fib& rFib) + nIMax = pBook[0]->GetIMax(); + if( pBook[1]->GetIMax() < nIMax ) + nIMax = pBook[1]->GetIMax(); +- pStatus = new eBookStatus[ nIMax ]; +- memset( pStatus, 0, nIMax * sizeof( eBookStatus ) ); ++ aStatus.resize(nIMax); + } + } + + WW8PLCFx_Book::~WW8PLCFx_Book() + { +- delete[] pStatus; + delete pBook[1]; + delete pBook[0]; + } +@@ -4091,18 +4089,20 @@ long WW8PLCFx_Book::GetLen() const + return nNum; + } + +-void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat ) ++void WW8PLCFx_Book::SetStatus(sal_uInt16 nIndex, eBookStatus eStat) + { +- OSL_ENSURE(nIndex < nIMax, "set status of non existing bookmark!"); +- pStatus[nIndex] = (eBookStatus)( pStatus[nIndex] | eStat ); ++ SAL_WARN_IF(nIndex >= nIMax, "sw.ww8", ++ "bookmark index " << nIndex << " invalid"); ++ eBookStatus eStatus = aStatus.at(nIndex); ++ aStatus[nIndex] = static_cast(eStatus | eStat); + } + + eBookStatus WW8PLCFx_Book::GetStatus() const + { +- if( !pStatus ) ++ if (aStatus.empty()) + return BOOK_NORMAL; + long nEndIdx = GetHandle(); +- return ( nEndIdx < nIMax ) ? pStatus[nEndIdx] : BOOK_NORMAL; ++ return ( nEndIdx < nIMax ) ? aStatus[nEndIdx] : BOOK_NORMAL; + } + + long WW8PLCFx_Book::GetHandle() const +diff --git a/sw/source/filter/ww8/ww8scan.hxx b/sw/source/filter/ww8/ww8scan.hxx +index 1e6a43a..4d84961 100644 +--- a/sw/source/filter/ww8/ww8scan.hxx ++++ b/sw/source/filter/ww8/ww8scan.hxx +@@ -734,8 +734,8 @@ class WW8PLCFx_Book : public WW8PLCFx + { + private: + WW8PLCFspecial* pBook[2]; // Start and End Position +- ::std::vector aBookNames; // Name +- eBookStatus* pStatus; ++ std::vector aBookNames; // Name ++ std::vector aStatus; + long nIMax; // Number of Booknotes + sal_uInt16 nIsEnd; + sal_Int32 nBookmarkId; // counter incremented by GetUniqueBookmarkName. +-- +2.5.0 + diff --git a/SPECS/libreoffice.spec b/SPECS/libreoffice.spec index 9f2de84..530f30f 100644 --- a/SPECS/libreoffice.spec +++ b/SPECS/libreoffice.spec @@ -53,7 +53,7 @@ Summary: Free Software Productivity Suite Name: libreoffice Epoch: 1 Version: %{libo_version}.2 -Release: 5%{?libo_prerelease}%{?dist} +Release: 5%{?libo_prerelease}%{?dist}.1 License: (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0 and CC0 Group: Applications/Productivity URL: http://www.libreoffice.org/ @@ -377,6 +377,10 @@ Patch77: 0002-java-dir-for-powepc64-and-powepc64le-can-differ.patch Patch78: 0001-rulers-Make-the-numbers-a-bit-smaller-and-always-wit.patch Patch79: 0001-ppc64-simplify-this-a-little.patch Patch80: 0002-ppc64-using-a-fp-register-also-consumes-a-gp-registe.patch +Patch81: 0001-LinkUpdateMode-is-a-global-setting.patch +Patch82: 0002-coverity-1266485-Untrusted-value-as-argument.patch +Patch83: 0003-ww8-make-sure-we-don-t-wrap-around.patch +Patch84: 0004-convert-pStatus-to-vector-and-use-at-to-check-offset.patch %define instdir %{_libdir} %define baseinstdir %{instdir}/libreoffice @@ -2341,6 +2345,14 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : %endif %changelog +* Wed Dec 02 2015 David Tardon - 1:4.3.7.2-5.1 +- Resolves: rhbz#1285820 various flaws +- CVE-2015-4551 Arbitrary file disclosure in Calc and Writer +- CVE-2015-5212 Integer underflow in PrinterSetup length +- CVE-2015-5213 Integer overflow in DOC files +- CVE-2015-5214 Bookmarks in DOC documents are insufficiently checked + causing memory corruption + * Tue Jul 14 2015 David Tardon - 1:4.3.7.2-5 - Related: rhbz#1205091 fix for ppc64 - Related: rhbz#1205091 fix deps for gdb-debug-support subpackage