rpms/openoffice.org/F-7 workspace.tipatch8.patch,NONE,1.1
Jan Navrátil (jnavrati)
fedora-extras-commits at redhat.com
Mon Sep 17 08:44:24 UTC 2007
Author: jnavrati
Update of /cvs/pkgs/rpms/openoffice.org/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1333
Added Files:
workspace.tipatch8.patch
Log Message:
Resolves: rhbz#251975 CVE-2007-2834 workspace.tipatch8.patch
workspace.tipatch8.patch:
--- NEW FILE workspace.tipatch8.patch ---
Index: source/filter.vcl/itiff/itiff.cxx
===================================================================
RCS file: /cvs/graphics/goodies/source/filter.vcl/itiff/itiff.cxx,v
retrieving revision 1.13
retrieving revision 1.13.72.1
diff -u -r1.13 -r1.13.72.1
--- openoffice.org.orig/goodies/source/filter.vcl/itiff/itiff.cxx 14 Nov 2006 16:17:15 -0000 1.13
+++ openoffice.org/goodies/source/filter.vcl/itiff/itiff.cxx 20 Jun 2007 14:21:15 -0000 1.13.72.1
@@ -132,7 +132,7 @@
double ReadDoubleData();
void ReadHeader();
- void ReadTagData( USHORT nTagType, ULONG nDataLen );
+ void ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
BOOL ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
// Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
@@ -290,7 +290,7 @@
// ---------------------------------------------------------------------------------
-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
+void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
{
if ( bStatus == FALSE )
return;
@@ -353,16 +353,25 @@
case 0x0111: { // Strip Offset(s)
ULONG nOldNumSO, i, * pOldSO;
pOldSO = pStripOffsets;
- if ( pOldSO == NULL ) nNumStripOffsets = 0; // Sicherheitshalber
+ if ( pOldSO == NULL )
+ nNumStripOffsets = 0;
nOldNumSO = nNumStripOffsets;
- nNumStripOffsets += nDataLen;
- pStripOffsets = new ULONG[ nNumStripOffsets ];
- for ( i = 0; i < nOldNumSO; i++ )
- pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
- for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
- pStripOffsets[ i ] = ReadIntData() + nOrigPos;
- if ( pOldSO != NULL )
+ nDataLen += nOldNumSO;
+ if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+ {
+ nNumStripOffsets = nDataLen;
+ pStripOffsets = new ULONG[ nNumStripOffsets ];
+ if ( !pStripOffsets )
+ nNumStripOffsets = 0;
+ else
+ {
+ for ( i = 0; i < nOldNumSO; i++ )
+ pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+ for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+ pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+ }
delete[] pOldSO;
+ }
OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
break;
}
@@ -384,16 +393,25 @@
case 0x0117: { // Strip Byte Counts
ULONG nOldNumSBC, i, * pOldSBC;
pOldSBC = pStripByteCounts;
- if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
+ if ( pOldSBC == NULL )
+ nNumStripByteCounts = 0; // Sicherheitshalber
nOldNumSBC = nNumStripByteCounts;
- nNumStripByteCounts += nDataLen;
- pStripByteCounts = new ULONG[ nNumStripByteCounts ];
- for ( i = 0; i < nOldNumSBC; i++ )
- pStripByteCounts[ i ] = pOldSBC[ i ];
- for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
- pStripByteCounts[ i ] = ReadIntData();
- if ( pOldSBC != NULL )
+ nDataLen += nOldNumSBC;
+ if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+ {
+ nNumStripByteCounts = nDataLen;
+ pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+ if ( !nNumStripByteCounts )
+ nNumStripByteCounts = 0;
+ else
+ {
+ for ( i = 0; i < nOldNumSBC; i++ )
+ pStripByteCounts[ i ] = pOldSBC[ i ];
+ for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+ pStripByteCounts[ i ] = ReadIntData();
+ }
delete[] pOldSBC;
+ }
OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
break;
}
More information about the fedora-extras-commits
mailing list