include/oox/vml/vmlshapecontainer.hxx | 8 ++++---- include/oox/vml/vmlshapecontext.hxx | 9 +++++---- oox/source/vml/vmlshapecontainer.cxx | 4 ++-- oox/source/vml/vmlshapecontext.cxx | 30 ++++++++++++++++++------------ svtools/source/svrtf/svparser.cxx | 3 ++- 5 files changed, 31 insertions(+), 23 deletions(-)
New commits: commit 756949c06b8bf933bcd13a226f449b8909cbf3ae Author: Michael Stahl <[email protected]> Date: Thu Sep 7 23:01:26 2017 +0200 svtools: HTML import: don't put lone surrogates in OUString The bytes "ed b3 b5" in fdo67610-1.doc (which, as the name indicates, is an HTML file) are converted to the lone UTF-16 surrogate "dcf5", which is inserted into SwTextNode and causes asserts later on. The actual encoding of the HTML document is probably GBK (at least VIM doesn't display any missing characters with that), but because it doesn't contain any indication of its encoding it's apparently imported as UTF-8; the ImplConvertUtf8ToUnicode() thinking a surrogate code point is valid even if the Java-compatible mode RTL_TEXTENCODING_JAVA_UTF8 is not specified is a bit of a surprise. [note: the master commit says "JSON-compatible mode" but i was confusing different text encoding perversions there] Change-Id: Idd788d9d461fed150171dd907439166f3075a834 (cherry picked from commit fc670f637d4271246691904fd649358ce2e7be59) Reviewed-on: https://gerrit.libreoffice.org/42101 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> diff --git a/svtools/source/svrtf/svparser.cxx b/svtools/source/svrtf/svparser.cxx index 0540e172be10..ca4f389b83b5 100644 --- a/svtools/source/svrtf/svparser.cxx +++ b/svtools/source/svrtf/svparser.cxx @@ -390,7 +390,8 @@ sal_uInt32 SvParser::GetNextChar() while( 0 == nChars && !bErr ); } - if ( ! rtl::isUnicodeCodePoint( c ) ) + // Note: ImplConvertUtf8ToUnicode() may produce a surrogate! + if (!rtl::isUnicodeCodePoint(c) || rtl::isHighSurrogate(c) || rtl::isLowSurrogate(c)) c = (sal_uInt32) '?' ; if( bErr ) commit 7c7c19d80e6a6327be563a18febc3854d9a38daf Author: Michael Stahl <[email protected]> Date: Wed Sep 13 10:48:38 2017 +0200 tdf#112311 oox: fix UAF of std::shared_ptr OOXMLFastContextHandlerShape::sendShape() deletes the parent context's ShapeTypeContext::mrTypeModel. It looks like the sendShape() can't be delayed because writerfilter wants to import the v:textbox content into a text frame. Keep the shape alive until the end of the containing context. Not sure if it's going to process the v:fill element properly, but at lest valgrind is happy. (probably regression from CWS writerfilter32bugfixes01) Change-Id: Ifeab84751a1b20b2f272c4dd74b7097deb5eece0 (cherry picked from commit 88c84e71e2559ec6d0b4f8c5101a149daa4a2b2b) Reviewed-on: https://gerrit.libreoffice.org/42245 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> diff --git a/include/oox/vml/vmlshapecontainer.hxx b/include/oox/vml/vmlshapecontainer.hxx index 76e294fc279d..692beafad555 100644 --- a/include/oox/vml/vmlshapecontainer.hxx +++ b/include/oox/vml/vmlshapecontainer.hxx @@ -61,10 +61,10 @@ public: Drawing& getDrawing() { return mrDrawing; } /** Creates and returns a new shape template object. */ - ShapeType& createShapeType(); + std::shared_ptr<ShapeType> createShapeType(); /** Creates and returns a new shape object of the specified type. */ template< typename ShapeT > - ShapeT& createShape(); + std::shared_ptr<ShapeT> createShape(); /** Final processing after import of the drawing fragment. */ void finalizeFragmentImport(); @@ -123,11 +123,11 @@ private: template< typename ShapeT > -ShapeT& ShapeContainer::createShape() +std::shared_ptr<ShapeT> ShapeContainer::createShape() { std::shared_ptr< ShapeT > xShape( new ShapeT( mrDrawing ) ); maShapes.push_back( xShape ); - return *xShape; + return xShape; } template< typename Functor > diff --git a/include/oox/vml/vmlshapecontext.hxx b/include/oox/vml/vmlshapecontext.hxx index 1c1565b62397..14533b8b35ab 100644 --- a/include/oox/vml/vmlshapecontext.hxx +++ b/include/oox/vml/vmlshapecontext.hxx @@ -99,7 +99,7 @@ class ShapeTypeContext : public ShapeContextBase public: explicit ShapeTypeContext( ::oox::core::ContextHandler2Helper& rParent, - ShapeType& rShapeType, + std::shared_ptr<ShapeType> const& pShapeType, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -113,6 +113,7 @@ private: OptValue< OUString > decodeFragmentPath( const AttributeList& rAttribs, sal_Int32 nToken ) const; private: + std::shared_ptr<ShapeType> m_pShapeType; ShapeTypeModel& mrTypeModel; }; @@ -122,7 +123,7 @@ class ShapeContext : public ShapeTypeContext public: explicit ShapeContext( ::oox::core::ContextHandler2Helper& rParent, - ShapeBase& rShape, + std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -155,7 +156,7 @@ class GroupShapeContext : public ShapeContext public: explicit GroupShapeContext( ::oox::core::ContextHandler2Helper& rParent, - GroupShape& rShape, + std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs ); virtual ::oox::core::ContextHandlerRef @@ -172,7 +173,7 @@ public: explicit RectangleShapeContext( ::oox::core::ContextHandler2Helper& rParent, const AttributeList& rAttribs, - RectangleShape& rShape ); + std::shared_ptr<RectangleShape> pShape); virtual ::oox::core::ContextHandlerRef onCreateContext( sal_Int32 nElement, const AttributeList& rAttribs ) override; diff --git a/oox/source/vml/vmlshapecontainer.cxx b/oox/source/vml/vmlshapecontainer.cxx index 055365202d5d..31359f862fba 100644 --- a/oox/source/vml/vmlshapecontainer.cxx +++ b/oox/source/vml/vmlshapecontainer.cxx @@ -59,11 +59,11 @@ ShapeContainer::~ShapeContainer() { } -ShapeType& ShapeContainer::createShapeType() +std::shared_ptr<ShapeType> ShapeContainer::createShapeType() { std::shared_ptr< ShapeType > xShape( new ShapeType( mrDrawing ) ); maTypes.push_back( xShape ); - return *xShape; + return xShape; } void ShapeContainer::finalizeFragmentImport() diff --git a/oox/source/vml/vmlshapecontext.cxx b/oox/source/vml/vmlshapecontext.cxx index dc654223aca6..0ed9ea735049 100644 --- a/oox/source/vml/vmlshapecontext.cxx +++ b/oox/source/vml/vmlshapecontext.cxx @@ -266,9 +266,12 @@ ContextHandlerRef ShapeContextBase::createShapeContext( ContextHandler2Helper& r return nullptr; } -ShapeTypeContext::ShapeTypeContext( ContextHandler2Helper& rParent, ShapeType& rShapeType, const AttributeList& rAttribs ) : - ShapeContextBase( rParent ), - mrTypeModel( rShapeType.getTypeModel() ) +ShapeTypeContext::ShapeTypeContext(ContextHandler2Helper& rParent, + std::shared_ptr<ShapeType> const& pShapeType, + const AttributeList& rAttribs) + : ShapeContextBase(rParent) + , m_pShapeType(pShapeType) // tdf#112311 keep it alive + , mrTypeModel( pShapeType->getTypeModel() ) { // shape identifier and shape name bool bHasOspid = rAttribs.hasAttribute( O_TOKEN( spid ) ); @@ -429,10 +432,11 @@ void ShapeTypeContext::setStyle( const OUString& rStyle ) } } -ShapeContext::ShapeContext( ContextHandler2Helper& rParent, ShapeBase& rShape, const AttributeList& rAttribs ) : - ShapeTypeContext( rParent, rShape, rAttribs ), - mrShape( rShape ), - mrShapeModel( rShape.getShapeModel() ) +ShapeContext::ShapeContext(ContextHandler2Helper& rParent, + std::shared_ptr<ShapeBase> pShape, const AttributeList& rAttribs) + : ShapeTypeContext( rParent, pShape, rAttribs ) + , mrShape( *pShape ) + , mrShapeModel( pShape->getShapeModel() ) { // collect shape specific attributes mrShapeModel.maType = rAttribs.getXString( XML_type, OUString() ); @@ -519,9 +523,10 @@ void ShapeContext::setVmlPath( const OUString& rPath ) mrShapeModel.maVmlPath = rPath; } -GroupShapeContext::GroupShapeContext( ContextHandler2Helper& rParent, GroupShape& rShape, const AttributeList& rAttribs ) : - ShapeContext( rParent, rShape, rAttribs ), - mrShapes( rShape.getChildren() ) +GroupShapeContext::GroupShapeContext(ContextHandler2Helper& rParent, + std::shared_ptr<GroupShape> pShape, const AttributeList& rAttribs) + : ShapeContext( rParent, pShape, rAttribs ) + , mrShapes( pShape->getChildren() ) { } @@ -533,8 +538,9 @@ ContextHandlerRef GroupShapeContext::onCreateContext( sal_Int32 nElement, const return xContext.get() ? xContext : ShapeContext::onCreateContext( nElement, rAttribs ); } -RectangleShapeContext::RectangleShapeContext( ContextHandler2Helper& rParent, const AttributeList& rAttribs, RectangleShape& rShape ) : - ShapeContext( rParent, rShape, rAttribs ) +RectangleShapeContext::RectangleShapeContext(ContextHandler2Helper& rParent, + const AttributeList& rAttribs, std::shared_ptr<RectangleShape> pShape) + : ShapeContext( rParent, pShape, rAttribs ) { }
_______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
