rpms/openoffice.org/F-7 workspace.tipatch8.patch,NONE,1.1

Mon Sep 17 08:44:24 UTC 2007

Author: jnavrati

Update of /cvs/pkgs/rpms/openoffice.org/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1333

Added Files:
	workspace.tipatch8.patch 
Log Message:
Resolves: rhbz#251975 CVE-2007-2834 workspace.tipatch8.patch


workspace.tipatch8.patch:

--- NEW FILE workspace.tipatch8.patch ---
Index: source/filter.vcl/itiff/itiff.cxx
===================================================================
RCS file: /cvs/graphics/goodies/source/filter.vcl/itiff/itiff.cxx,v
retrieving revision 1.13
retrieving revision 1.13.72.1
diff -u -r1.13 -r1.13.72.1
--- openoffice.org.orig/goodies/source/filter.vcl/itiff/itiff.cxx	14 Nov 2006 16:17:15 -0000	1.13
+++ openoffice.org/goodies/source/filter.vcl/itiff/itiff.cxx	20 Jun 2007 14:21:15 -0000	1.13.72.1
@@ -132,7 +132,7 @@
 	double	ReadDoubleData();
 
 	void	ReadHeader();
-	void	ReadTagData( USHORT nTagType, ULONG nDataLen );
+	void	ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
 
 	BOOL	ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
 		// Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
@@ -290,7 +290,7 @@
 
 // ---------------------------------------------------------------------------------
 
-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
+void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
 {
 	if ( bStatus == FALSE )
 		return;
@@ -353,16 +353,25 @@
 		case 0x0111: { // Strip Offset(s)
 			ULONG nOldNumSO, i, * pOldSO;
 			pOldSO = pStripOffsets;
-			if ( pOldSO == NULL ) nNumStripOffsets = 0;	// Sicherheitshalber
+			if ( pOldSO == NULL )
+				nNumStripOffsets = 0;
 			nOldNumSO = nNumStripOffsets;
-			nNumStripOffsets += nDataLen;
-			pStripOffsets = new ULONG[ nNumStripOffsets ];
-			for ( i = 0; i < nOldNumSO; i++ )
-				pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
-			for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
-				pStripOffsets[ i ] = ReadIntData() + nOrigPos;
-			if ( pOldSO != NULL )
+			nDataLen += nOldNumSO;
+			if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+			{
+				nNumStripOffsets = nDataLen;
+				pStripOffsets = new ULONG[ nNumStripOffsets ];
+				if ( !pStripOffsets )
+					nNumStripOffsets = 0;
+				else
+				{
+					for ( i = 0; i < nOldNumSO; i++ )
+						pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+					for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+						pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+				}
 				delete[] pOldSO;
+			}
 			OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
 			break;
 		}
@@ -384,16 +393,25 @@
 		case 0x0117: { // Strip Byte Counts
 			ULONG nOldNumSBC, i, * pOldSBC;
 			pOldSBC = pStripByteCounts;
-			if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
+			if ( pOldSBC == NULL )
+				nNumStripByteCounts = 0; // Sicherheitshalber
 			nOldNumSBC = nNumStripByteCounts;
-			nNumStripByteCounts += nDataLen;
-			pStripByteCounts = new ULONG[ nNumStripByteCounts ];
-			for ( i = 0; i < nOldNumSBC; i++ )
-				pStripByteCounts[ i ] = pOldSBC[ i ];
-			for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
-				pStripByteCounts[ i ] = ReadIntData();
-			if ( pOldSBC != NULL )
+			nDataLen += nOldNumSBC;
+			if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
+			{		
+				nNumStripByteCounts = nDataLen;
+				pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+				if ( !nNumStripByteCounts )
+					nNumStripByteCounts = 0;
+				else
+				{
+					for ( i = 0; i < nOldNumSBC; i++ )
+						pStripByteCounts[ i ] = pOldSBC[ i ];
+					for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+						pStripByteCounts[ i ] = ReadIntData();
+				}
 				delete[] pOldSBC;
+			}
 			OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
 			break;
 		}


