rpms/openoffice.org/F-10 workspace.hb311fixes01.patch,NONE,1.1
Caolan McNamara
caolanm at fedoraproject.org
Tue Sep 1 15:08:50 UTC 2009
- Previous message (by thread): rpms/openoffice.org/F-10 openoffice.org-3.1.1.ooo104329.dbaccess.primarykeys.patch, 1.2, 1.3 openoffice.org.spec, 1.1738, 1.1739 workspace.os131.patch, 1.1, 1.2 workspace.pdfextfix02.patch, 1.2, 1.3
- Next message (by thread): rpms/perl-FileHandle-Unget/devel .cvsignore, 1.3, 1.4 perl-FileHandle-Unget.spec, 1.10, 1.11 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: caolanm
Update of /cvs/pkgs/rpms/openoffice.org/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30927
Added Files:
workspace.hb311fixes01.patch
Log Message:
Resolves: CVE-2009-0200/CVE-2009-0201
workspace.hb311fixes01.patch:
ww8par2.cxx | 61 ++++++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 49 insertions(+), 12 deletions(-)
--- NEW FILE workspace.hb311fixes01.patch ---
Index: sw/source/filter/ww8/ww8par2.cxx
===================================================================
--- sw/source/filter/ww8/ww8par2.cxx (.../tags/OOO310_m14) (revision 275245)
+++ sw/source/filter/ww8/ww8par2.cxx (.../cws/hb311fixes01) (revision 275245)
@@ -1399,14 +1401,34 @@
if( nWwCols && pParamsTInsert ) // set one or more cell length(s)
{
BYTE nitcInsert = pParamsTInsert[0]; // position at which to insert
+ if (nitcInsert >= MAX_COL) // cannot insert into cell outside max possible index
+ return;
BYTE nctc = pParamsTInsert[1]; // number of cells
USHORT ndxaCol = SVBT16ToShort( pParamsTInsert+2 );
short nNewWwCols;
if (nitcInsert > nWwCols)
+ {
nNewWwCols = nitcInsert+nctc;
+ //if new count would be outside max possible count, clip it, and calc a new replacement
+ //legal nctc
+ if (nNewWwCols > MAX_COL)
+ {
+ nNewWwCols = MAX_COL;
+ nctc = ::sal::static_int_cast<BYTE>(nNewWwCols-nitcInsert);
+ }
+ }
else
+ {
nNewWwCols = nWwCols+nctc;
+ //if new count would be outside max possible count, clip it, and calc a new replacement
+ //legal nctc
+ if (nNewWwCols > MAX_COL)
+ {
+ nNewWwCols = MAX_COL;
+ nctc = ::sal::static_int_cast<BYTE>(nNewWwCols-nWwCols);
+ }
+ }
WW8_TCell *pTC2s = new WW8_TCell[nNewWwCols];
setcelldefaults(pTC2s, nNewWwCols);
@@ -1542,25 +1564,42 @@
if( nWwCols && pParamsTDelete ) // set one or more cell length(s)
{
BYTE nitcFirst= pParamsTDelete[0]; // first col to be deleted
+ if (nitcFirst >= nWwCols) // first index to delete from doesn't exist
+ return;
BYTE nitcLim = pParamsTDelete[1]; // (last col to be deleted)+1
+ if (nitcLim <= nitcFirst) // second index to delete to is not greater than first index
+ return;
- BYTE nShlCnt = static_cast< BYTE >(nWwCols - nitcLim); // count of cells to be shifted
+ /*
+ * sprmTDelete causes any rgdxaCenter and rgtc entries whose index is
+ * greater than or equal to itcLim to be moved
+ */
+ int nShlCnt = nWwCols - nitcLim; // count of cells to be shifted
+ if (nShlCnt >= 0) //There exist entries whose index is greater than or equal to itcLim
+ {
+ WW8_TCell* pAktTC = pTCs + nitcFirst;
+ int i = 0;
+ while( i < nShlCnt )
+ {
+ // adjust the left x-position
+ nCenter[nitcFirst + i] = nCenter[nitcLim + i];
- WW8_TCell* pAktTC = pTCs + nitcFirst;
- int i = 0;
- for( ; i < nShlCnt; i++, ++pAktTC )
- {
- // adjust the left x-position
+ // adjust the cell's borders
+ *pAktTC = pTCs[ nitcLim + i];
+
+ ++i;
+ ++pAktTC;
+ }
+ // adjust the left x-position of the dummy at the very end
nCenter[nitcFirst + i] = nCenter[nitcLim + i];
-
- // adjust the cell's borders
- *pAktTC = pTCs[ nitcLim + i];
}
- // adjust the left x-position of the dummy at the very end
- nCenter[nitcFirst + i] = nCenter[nitcLim + i];
- nWwCols -= (nitcLim - nitcFirst);
+ short nCellsDeleted = nitcLim - nitcFirst;
+ //clip delete request to available number of cells
+ if (nCellsDeleted > nWwCols)
+ nCellsDeleted = nWwCols;
+ nWwCols -= nCellsDeleted;
}
}
- Previous message (by thread): rpms/openoffice.org/F-10 openoffice.org-3.1.1.ooo104329.dbaccess.primarykeys.patch, 1.2, 1.3 openoffice.org.spec, 1.1738, 1.1739 workspace.os131.patch, 1.1, 1.2 workspace.pdfextfix02.patch, 1.2, 1.3
- Next message (by thread): rpms/perl-FileHandle-Unget/devel .cvsignore, 1.3, 1.4 perl-FileHandle-Unget.spec, 1.10, 1.11 sources, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list