Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 584890 Details for
Bug 821803
CVE-2012-2334 openoffice.org, libreoffice: Integer overflow leading to buffer overflow by processing invalid Escher graphics records length in the Powerpoint documents
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
RHEL-5 backport
RHEL5.CVE-2012-2334.patch (text/plain), 4.79 KB, created by
Caolan McNamara
on 2012-05-16 08:16:27 UTC
(
hide
)
Description:
RHEL-5 backport
Filename:
MIME Type:
Creator:
Caolan McNamara
Created:
2012-05-16 08:16:27 UTC
Size:
4.79 KB
patch
obsolete
>diff -ru OOO310_m19/svx/inc/svx/msdffdef.hxx OOO310_m19/svx/inc/svx/msdffdef.hxx >--- OOO310_m19/svx/inc/svx/msdffdef.hxx 2012-05-15 15:56:03.128216659 +0100 >+++ OOO310_m19/svx/inc/svx/msdffdef.hxx 2012-05-15 16:28:14.147796054 +0100 >@@ -43,6 +43,9 @@ > > #define DFF_COMMON_RECORD_HEADER_SIZE 8 > >+const sal_uInt32 nMaxLegalDffRecordLength = \ >+ SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE; >+ > #define DFF_PSFLAG_CONTAINER 0x0F // If the version field of a record > // header takes on this value, the > // record header marks the start of >@@ -1238,9 +1241,20 @@ > FASTBOOL IsContainer() const { return nRecVer == DFF_PSFLAG_CONTAINER; } > ULONG GetRecBegFilePos() const { return nFilePos; } > ULONG GetRecEndFilePos() const { return nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; } >- void SeekToEndOfRecord(SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen ); } >- void SeekToContent( SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE ); } >- void SeekToBegOfRecord(SvStream& rIn) const { rIn.Seek( nFilePos ); } >+ bool SeekToEndOfRecord(SvStream& rIn) const >+ { >+ sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; >+ return nPos == rIn.Seek(nPos); >+ } >+ bool SeekToContent(SvStream& rIn) const >+ { >+ sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE; >+ return nPos == rIn.Seek(nPos); >+ } >+ bool SeekToBegOfRecord(SvStream& rIn) const >+ { >+ return nFilePos == rIn.Seek(nFilePos); >+ } > > SVX_DLLPUBLIC friend SvStream& operator>>(SvStream& rIn, DffRecordHeader& rRec); > >diff -ru OOO310_m19/svx/source/msfilter/msdffimp.cxx OOO310_m19/svx/source/msfilter/msdffimp.cxx >--- OOO310_m19/svx/source/msfilter/msdffimp.cxx 2012-05-15 15:56:02.981214858 +0100 >+++ OOO310_m19/svx/source/msfilter/msdffimp.cxx 2012-05-15 16:29:41.978880806 +0100 >@@ -216,6 +216,11 @@ > static sal_uInt32 nMSOleObjCntr = 0; > #define MSO_OLE_Obj "MSO_OLE_Obj" > >+/*************************************************************************/ >+bool lclGood(const SvStream &rStream) >+{ >+ return rStream.GetError() == 0 && !rStream.IsEof(); >+} > > /*************************************************************************/ > BOOL Impl_OlePres::Read( SvStream & rStm ) >@@ -3428,7 +3433,7 @@ > rSt >> aEscherF002Hd; > ULONG nEscherF002End = aEscherF002Hd.GetRecEndFilePos(); > DffRecordHeader aEscherObjListHd; >- while ( rSt.Tell() < nEscherF002End ) >+ while (lclGood(rSt) && rSt.Tell() < nEscherF002End) > { > rSt >> aEscherObjListHd; > if ( aEscherObjListHd.nRecVer != 0xf ) >@@ -3462,9 +3467,16 @@ > FASTBOOL bRet = FALSE; > ULONG nFPosMerk = rSt.Tell(); // FilePos merken fuer ggf. spaetere Restauration > DffRecordHeader aHd; >+ // make sure that we move somewhere with every iteration >+ sal_Size nStPos; > do > { >+ nStPos = rSt.Tell(); > rSt >> aHd; >+ if (!lclGood(rSt)) >+ break; >+ if (aHd.nRecLen > nMaxLegalDffRecordLength) >+ break; > if ( aHd.nRecType == nRecId ) > { > if ( nSkipCount ) >@@ -3479,9 +3491,13 @@ > } > } > if ( !bRet ) >- aHd.SeekToEndOfRecord( rSt ); >+ { >+ bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt ); >+ if (!bSeekSuccess) >+ break; >+ } > } >- while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet ); >+ while ( lclGood(rSt) && rSt.Tell() < nMaxFilePos && rSt.Tell() != nStPos && !bRet ); > if ( !bRet ) > rSt.Seek( nFPosMerk ); // FilePos restaurieren > return bRet; >@@ -6145,10 +6161,18 @@ > > if ( mnIdClusters-- > 2 ) > { >- if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) ) >+ const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2; >+ if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) ) > { >+ sal_Size nStCtrlCurr = rStCtrl.Tell(); >+ sal_Size nStCtrlEnd = rStCtrl.Seek(STREAM_SEEK_TO_END); >+ sal_Size nMaxEntriesPossible = ( nStCtrlEnd - nStCtrlCurr ) / nFIDCLsize; >+ rStCtrl.Seek(nStCtrlCurr); >+ mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters)); >+ > mpFidcls = new FIDCL[ mnIdClusters ]; >- for ( UINT32 i = 0; i < mnIdClusters; i++ ) >+ memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL)); >+ for (sal_uInt32 i = 0; i < mnIdClusters; ++i) > { > rStCtrl >> mpFidcls[ i ].dgid > >> mpFidcls[ i ].cspidCur; >@@ -7020,7 +7044,11 @@ > rSt >> nTmp >> rFbt >> rLength; > rVer = sal::static_int_cast< BYTE >(nTmp & 15); > rInst = nTmp >> 4; >- return rSt.GetError() == 0; >+ if (!lclGood(rSt)) >+ return false; >+ if (rLength > nMaxLegalRecordLength) >+ return false; >+ return true; > } > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=584890">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 821803
:
584890
|
586622
|
587309
|
587370