chart2/source/tools/InternalDataProvider.cxx
| 7
configure.ac
| 2
connectivity/source/commontools/dbconversion.cxx
| 9
connectivity/source/drivers/dbase/DTable.cxx
| 13 -
connectivity/source/parse/sqlbison.y
| 6
download.lst
| 18 -
external/icu/UnpackedTarball_icu.mk
| 2
external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
| 94 ++++++++++
external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
| 39 ++++
external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk
| 1
external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1
| 38 ++++
external/libmwaw/Library_mwaw.mk
| 4
external/libodfgen/0001-tdf-101077-make-double-string-conversion-locale-agno.patch.1
| 58 ------
external/libodfgen/ExternalProject_libodfgen.mk
| 4
external/libodfgen/Library_odfgen.mk
| 3
external/libodfgen/UnpackedTarball_libodfgen.mk
| 8
external/libodfgen/c++11.patch
| 44 ----
external/libodfgen/libodfgen-bundled-soname.patch.0
| 5
include/vcl/BitmapTools.hxx
| 5
lotuswordpro/source/filter/lwpfribptr.cxx
| 35 +--
lotuswordpro/source/filter/lwpfribptr.hxx
| 4
sc/source/core/tool/compiler.cxx
| 9
sc/source/core/tool/interpr1.cxx
| 2
solenv/flatpak-manifest.in
| 12 -
svtools/source/svhtml/parhtml.cxx
| 6
sw/qa/core/data/html/pass/ofz40593-1.html
|binary
sw/qa/core/data/ww5/pass/ooo37322-1-WW2.doc
|binary
sw/qa/core/data/ww8/pass/ofz34749-1.doc
|binary
sw/qa/core/data/ww8/pass/ofz38011-1.doc
|binary
sw/source/core/inc/layact.hxx
| 8
sw/source/core/layout/layact.cxx
| 65 ++++++
sw/source/core/layout/objectformattertxtfrm.cxx
| 2
sw/source/core/layout/pagechg.cxx
| 2
sw/source/core/text/itrform2.cxx
| 4
sw/source/core/undo/undobj.cxx
| 11 -
sw/source/filter/html/htmltab.cxx
| 32 +++
sw/source/filter/ww8/ww8par.cxx
| 13 +
sw/source/filter/ww8/ww8par.hxx
| 12 +
sw/source/filter/ww8/ww8par2.cxx
| 9
sw/source/filter/ww8/ww8par6.cxx
| 3
tools/source/generic/poly.cxx
| 2
vcl/source/graphic/Manager.cxx
| 7
vcl/unx/generic/printer/cpdmgr.cxx
| 49 ++---
43 files changed, 443 insertions(+), 204 deletions(-)
New commits:
commit 3b6d7bc04719a0ff069af912a8cdb29d0d06dc2f
Author: Stephan Bergmann <[email protected]>
AuthorDate: Tue Sep 14 12:20:48 2021 +0200
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:58:25 2021 +0100
Adapt to Bison 3.8 internal yyn -> yyrule rename
see
<https://git.savannah.gnu.org/cgit/bison.git/commit/?id=f30067ed51f23802fc91761ede1506dfa72b2865>
"glr2.cc: log the execution of deferred actions" including "Rename argument
yyn
as yyrule for clarity."
YYBISON was defined as 1 rather than as a representation of the Bison
version
prior to
<https://git.savannah.gnu.org/cgit/bison.git/commit/?id=21c147b6e5372563b7c4741deadaddb9354f4b09>
"yacc.c: provide the Bison version as an integral macro", which shouldn't
be a
problem here. And YYBISON is apparently completely undefined with
/usr/bin/bison on macOS.
(The preceding comment always mentioned "yyi" and "yyrmap" in apparent
mismatch
with the actually used "yyn" and "yyr1" ever since
c25ec0608a167bcf1d891043f02273761c351701 "initial import", so just leave it
untouched.)
Change-Id: I4f901407aa21ed4abec84e661d813ee7599f02f0
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122082
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <[email protected]>
(cherry picked from commit 45227d9b79dc4f2a2aa6874cd4e3c02b7934b197)
diff --git a/connectivity/source/parse/sqlbison.y
b/connectivity/source/parse/sqlbison.y
index c9d423e3219c..6fa996b5e474 100644
--- a/connectivity/source/parse/sqlbison.y
+++ b/connectivity/source/parse/sqlbison.y
@@ -74,9 +74,15 @@ inline connectivity::OSQLInternalNode* newNode(const
OUString& _newValue,
// yyi is the internal number of the rule that is currently being reduced
// This can be mapped to external rule number via the yyrmap.
+#if defined YYBISON && YYBISON >= 30800
+#define SQL_NEW_RULE newNode("", SQLNodeType::Rule,
yyr1[yyrule])
+#define SQL_NEW_LISTRULE newNode("", SQLNodeType::ListRule,
yyr1[yyrule])
+#define SQL_NEW_COMMALISTRULE newNode("", SQLNodeType::CommaListRule,
yyr1[yyrule])
+#else
#define SQL_NEW_RULE newNode("", SQLNodeType::Rule,
yyr1[yyn])
#define SQL_NEW_LISTRULE newNode("", SQLNodeType::ListRule,
yyr1[yyn])
#define SQL_NEW_COMMALISTRULE newNode("", SQLNodeType::CommaListRule,
yyr1[yyn])
+#endif
extern connectivity::OSQLParser* xxx_pGLOBAL_SQLPARSER;
commit e9ef675d3c4d4df7ba660e62302c5e737740998c
Author: Michael Stahl <[email protected]>
AuthorDate: Tue Nov 16 14:41:57 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:58:20 2021 +0100
postgresql: upgrade to release 13.5
Fixes CVE-2021-23222.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125308
Tested-by: Jenkins
Reviewed-by: Michael Stahl <[email protected]>
(cherry picked from commit 71b9369f1cc40143108e3f2189d96e402895e315)
Change-Id: I4e16fcc60c634382a864f66b211d0e0170a06db0
diff --git a/download.lst b/download.lst
index 8f1444d047b9..90a070010620 100644
--- a/download.lst
+++ b/download.lst
@@ -232,8 +232,8 @@ export LIBPNG_SHA256SUM :=
505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201f
export LIBPNG_TARBALL := libpng-1.6.37.tar.xz
export POPPLER_SHA256SUM :=
016dde34e5f868ea98a32ca99b643325a9682281500942b7113f4ec88d20e2f3
export POPPLER_TARBALL := poppler-21.01.0.tar.xz
-export POSTGRESQL_SHA256SUM :=
a754c02f7051c2f21e52f8669a421b50485afcde9a581674d6106326b189d126
-export POSTGRESQL_TARBALL := postgresql-9.2.24.tar.bz2
+export POSTGRESQL_SHA256SUM :=
12345c83b89aa29808568977f5200d6da00f88a035517f925293355432ffe61f
+export POSTGRESQL_TARBALL := postgresql-13.1.tar.bz2
export PYTHON_SHA256SUM :=
f8d82e7572c86ec9d55c8627aae5040124fd2203af400c383c821b980306ee6b
export PYTHON_TARBALL := Python-3.7.10.tar.xz
export QRCODEGEN_SHA256SUM :=
fcdf9fd69fde07ae4dca2351d84271a9de8093002f733b77c70f52f1630f6e4a
commit 5de2a1a517384666a8d676c6345e2d6bc7803051
Author: Michael Stahl <[email protected]>
AuthorDate: Tue Nov 16 14:28:15 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:33 2021 +0100
ofz#40766 svtools, sw: HTMLParser: really stop inserting control chars
35d248cab1f0d4800f72abb5cb6afb56f40d9083 forgot to fix one place where
control characters were in a presumed XML declaration.
Another place looks missing where comments are handled, but it's not
clear if these can be passed on to Writer.
Revert the previous fix from commit
b3325ef8cdfc2c82eec34e747106f75a9fccb7e4.
Change-Id: I11ad13de9122533626e512ce0384051e3e5bd97f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/125306
Tested-by: Jenkins
Reviewed-by: Michael Stahl <[email protected]>
(cherry picked from commit a7116b890ccd6dd1721413b4de6591a8057668ef)
diff --git a/svtools/source/svhtml/parhtml.cxx
b/svtools/source/svhtml/parhtml.cxx
index 67f5a87862ad..563ef0f76755 100644
--- a/svtools/source/svhtml/parhtml.cxx
+++ b/svtools/source/svhtml/parhtml.cxx
@@ -1058,6 +1058,7 @@ HtmlTokenId HTMLParser::GetNextToken_()
sTmpBuffer.appendUtf32( nNextCh );
nNextCh = GetNextChar();
} while( '>' != nNextCh && '/' != nNextCh &&
!rtl::isAsciiWhiteSpace( nNextCh ) &&
+ !linguistic::IsControlChar(nNextCh) &&
IsParserWorking() && !rInput.eof() );
if( !sTmpBuffer.isEmpty() )
@@ -1135,8 +1136,11 @@ HtmlTokenId HTMLParser::GetNextToken_()
if( !bDone )
sTmpBuffer.appendUtf32(nNextCh);
}
- else
+ else if (!linguistic::IsControlChar(nNextCh)
+ || nNextCh == '\r' || nNextCh == '\n' ||
nNextCh == '\t')
+ {
sTmpBuffer.appendUtf32(nNextCh);
+ }
if( !bDone )
nNextCh = GetNextChar();
}
commit 0a097750d857ae927c101acaa32b5b6fa0119bb5
Author: Caolán McNamara <[email protected]>
AuthorDate: Mon Nov 1 17:34:23 2021 +0000
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:28 2021 +0100
ofz#40593 remove Objects from m_xResizeDrawObjects if deleted during parse
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124563
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 2f01faaf88b6d172d7293f0c9e2a061d99b8ceb5)
fix misplaced line
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124630
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 4ed359093c991291216c39cffe14a60e607ec551)
Change-Id: I11fa665175ef067a36f4822676c02d4df1e1e250
diff --git a/sw/qa/core/data/html/pass/ofz40593-1.html
b/sw/qa/core/data/html/pass/ofz40593-1.html
new file mode 100644
index 000000000000..43510d5d00b2
Binary files /dev/null and b/sw/qa/core/data/html/pass/ofz40593-1.html differ
diff --git a/sw/source/filter/html/htmltab.cxx
b/sw/source/filter/html/htmltab.cxx
index ce689df01b9d..670ed3ae7aeb 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -34,6 +34,7 @@
#include <svtools/htmlkywd.hxx>
#include <svl/urihelper.hxx>
#include <svl/listener.hxx>
+#include <svx/sdrobjectuser.hxx>
#include <sal/log.hxx>
#include <dcontact.hxx>
@@ -372,7 +373,7 @@ typedef std::vector<HTMLTableColumn> HTMLTableColumns;
typedef std::vector<SdrObject *> SdrObjects;
-class HTMLTable
+class HTMLTable : public sdr::ObjectUser
{
OUString m_aId;
OUString m_aStyle;
@@ -520,6 +521,8 @@ private:
sal_uInt16 GetBorderWidth( const SvxBorderLine& rBLine,
bool bWithDistance=false ) const;
+ virtual void ObjectInDestruction(const SdrObject& rObject) override;
+
public:
bool m_bFirstCell; // is there a cell created already?
@@ -529,7 +532,7 @@ public:
bool bHasToFly,
const HTMLTableOptions& rOptions);
- ~HTMLTable();
+ virtual ~HTMLTable();
// Identifying of a cell
const HTMLTableCell& GetCell(sal_uInt16 nRow, sal_uInt16 nCell) const;
@@ -1065,11 +1068,33 @@ bool SwHTMLParser::IsReqIF() const
return m_bReqIF;
}
+// if any m_pResizeDrawObjects members are deleted during parse, remove them
+// from m_pResizeDrawObjects and m_pDrawObjectPrcWidths
+void HTMLTable::ObjectInDestruction(const SdrObject& rObject)
+{
+ auto it = std::find(m_pResizeDrawObjects->begin(),
m_pResizeDrawObjects->end(), &rObject);
+ assert(it != m_pResizeDrawObjects->end());
+ auto nIndex = std::distance(m_pResizeDrawObjects->begin(), it);
+ m_pResizeDrawObjects->erase(it);
+ auto otherit = m_pDrawObjectPrcWidths->begin() + nIndex * 3;
+ m_pDrawObjectPrcWidths->erase(otherit, otherit + 3);
+}
+
HTMLTable::~HTMLTable()
{
m_pParser->DeregisterHTMLTable(this);
- m_pResizeDrawObjects.reset();
+ if (m_pResizeDrawObjects)
+ {
+ size_t nCount = m_pResizeDrawObjects->size();
+ for (size_t i = 0; i < nCount; ++i)
+ {
+ SdrObject *pObj = (*m_pResizeDrawObjects)[i];
+ pObj->RemoveObjectUser(*this);
+ }
+ m_pResizeDrawObjects.reset();
+ }
+
m_pDrawObjectPrcWidths.reset();
m_pContext.reset();
@@ -2483,6 +2508,7 @@ void HTMLTable::RegisterDrawObject( SdrObject *pObj,
sal_uInt8 nPrcWidth )
if( !m_pResizeDrawObjects )
m_pResizeDrawObjects.reset(new SdrObjects);
m_pResizeDrawObjects->push_back( pObj );
+ pObj->AddObjectUser(*this);
if( !m_pDrawObjectPrcWidths )
m_pDrawObjectPrcWidths.reset(new std::vector<sal_uInt16>);
commit 17a6ea99578a397d708ccbd041b70ee6cd7a8f78
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Sep 26 14:05:37 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:23 2021 +0100
ofz#39304 short timestamp record
Change-Id: I8f783473dd5d4679846c7c866cd1853ef7d919fc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122628
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit bfc70a9f314bbb5b03247be25544e9b4cc467f8d)
diff --git a/connectivity/source/drivers/dbase/DTable.cxx
b/connectivity/source/drivers/dbase/DTable.cxx
index ffd4eb2ab30f..6bd9ce2bbaf1 100644
--- a/connectivity/source/drivers/dbase/DTable.cxx
+++ b/connectivity/source/drivers/dbase/DTable.cxx
@@ -773,10 +773,8 @@ bool ODbaseTable::fetchRow(OValueRefRow& _rRow, const
OSQLColumns & _rCols, bool
for (std::size_t i = 1; aIter != aEnd && nByteOffset <= m_nBufferSize && i
< nCount;++aIter, i++)
{
// Lengths depending on data type:
- sal_Int32 nLen = 0;
- sal_Int32 nType = 0;
- nLen = m_aPrecisions[i-1];
- nType = m_aTypes[i-1];
+ sal_Int32 nLen = m_aPrecisions[i-1];
+ sal_Int32 nType = m_aTypes[i-1];
switch(nType)
{
@@ -835,8 +833,13 @@ bool ODbaseTable::fetchRow(OValueRefRow& _rRow, const
OSQLColumns & _rCols, bool
else if ( DataType::TIMESTAMP == nType )
{
sal_Int32 nDate = 0,nTime = 0;
+ if (nLen < 8)
+ {
+ SAL_WARN("connectivity.drivers", "short TIMESTAMP");
+ return false;
+ }
memcpy(&nDate, pData, 4);
- memcpy(&nTime, pData+ 4, 4);
+ memcpy(&nTime, pData + 4, 4);
if ( !nDate && !nTime )
{
(_rRow->get())[i]->setNull();
commit 5fd084308e3751cbc23f19041536d9957d6b961c
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Sep 26 14:23:54 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:18 2021 +0100
ofz#39301 month has to be in range [1-12]
Change-Id: I5a4ca534b24098342d8f465a32bc1887f40f5b63
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122629
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 4a93b7a2f8a3fc13fed800d93e2103b785abeb62)
diff --git a/connectivity/source/commontools/dbconversion.cxx
b/connectivity/source/commontools/dbconversion.cxx
index 77e7c871123c..6cd27e46a5ff 100644
--- a/connectivity/source/commontools/dbconversion.cxx
+++ b/connectivity/source/commontools/dbconversion.cxx
@@ -27,6 +27,7 @@
#include <rtl/character.hxx>
#include <rtl/ustrbuf.hxx>
#include <rtl/math.hxx>
+#include <sal/log.hxx>
#include <unotools/datetime.hxx>
#include <sstream>
#include <iomanip>
@@ -167,10 +168,13 @@ namespace dbtools
;
}
-
static sal_Int32 implDaysInMonth(sal_Int32 _nMonth, sal_Int32 _nYear)
{
- OSL_ENSURE(_nMonth > 0 && _nMonth < 13,"Month as invalid value!");
+ SAL_WARN_IF(_nMonth < 1 || _nMonth > 12, "connectivity.commontools",
"Month has invalid value: " << _nMonth);
+ if (_nMonth < 1)
+ _nMonth = 1;
+ else if (_nMonth > 12)
+ _nMonth = 12;
if (_nMonth != 2)
return aDaysInMonth[_nMonth-1];
else
@@ -182,7 +186,6 @@ namespace dbtools
}
}
-
static sal_Int32 implRelativeToAbsoluteNull(const css::util::Date& _rDate)
{
sal_Int32 nDays = 0;
commit 0bdcf4f040e77e2e51c4739a563a1008f418b99c
Author: Caolán McNamara <[email protected]>
AuthorDate: Sat Sep 25 19:57:36 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:13 2021 +0100
ofz#39252 use safer SwUnoCursor for the pos to move back to
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/122611
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit ca844cbdc3e933e3082e9cde0632445916de819e)
Change-Id: Iba6f200cea92196986bd30564cf56ab5d8b954b1
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 9510742478a9..eaf31d9f0fc3 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -1997,7 +1997,7 @@ void SwWW8ImplReader::ImportDopTypography(const
WW8DopTypography &rTypo)
* Footnotes and Endnotes
*/
WW8ReaderSave::WW8ReaderSave(SwWW8ImplReader* pRdr ,WW8_CP nStartCp) :
- maTmpPos(*pRdr->m_pPaM->GetPoint()),
+ mxTmpPos(pRdr->m_rDoc.CreateUnoCursor(*pRdr->m_pPaM->GetPoint())),
mxOldStck(std::move(pRdr->m_xCtrlStck)),
mxOldAnchorStck(std::move(pRdr->m_xAnchorStck)),
mxOldRedlines(std::move(pRdr->m_xRedlineStack)),
@@ -2095,7 +2095,7 @@ void WW8ReaderSave::Restore( SwWW8ImplReader* pRdr )
pRdr->DeleteAnchorStack();
pRdr->m_xAnchorStck = std::move(mxOldAnchorStck);
- *pRdr->m_pPaM->GetPoint() = maTmpPos;
+ *pRdr->m_pPaM->GetPoint() = GetStartPos();
if (mxOldPlcxMan != pRdr->m_xPlcxMan)
pRdr->m_xPlcxMan = mxOldPlcxMan;
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index 483d0b6ce470..63196280db89 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -591,7 +591,7 @@ class WW8ReaderSave
{
private:
WW8PLCFxSaveAll maPLCFxSave;
- SwPosition const maTmpPos;
+ std::shared_ptr<SwUnoCursor> mxTmpPos;
std::deque<bool> maOldApos;
std::deque<WW8FieldEntry> maOldFieldStack;
std::unique_ptr<SwWW8FltControlStack> mxOldStck;
@@ -619,7 +619,7 @@ private:
public:
WW8ReaderSave(SwWW8ImplReader* pRdr, WW8_CP nStart=-1);
void Restore(SwWW8ImplReader* pRdr);
- const SwPosition &GetStartPos() const { return maTmpPos; }
+ const SwPosition &GetStartPos() const { return *mxTmpPos->GetPoint(); }
};
enum class eF_ResT { OK, TEXT, TAGIGN, READ_FSPA };
commit ce2c13089560fb43b3bd5f75f0446af7a62eb7c9
Author: Caolán McNamara <[email protected]>
AuthorDate: Thu Sep 2 13:35:34 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:09 2021 +0100
ofz#38011 save and restore m_pLastAnchorPos via UnoCursor
when we do some operations that may delete paragraphs
Change-Id: I2165dd287771f06c6d0fd061dd7659b06db4bd72
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121511
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit bc7baa18435000f47f90e47d3300710bcb4cf56b)
diff --git a/sw/qa/core/data/ww8/pass/ofz38011-1.doc
b/sw/qa/core/data/ww8/pass/ofz38011-1.doc
new file mode 100644
index 000000000000..8ef58ca5395d
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/ofz38011-1.doc differ
diff --git a/sw/source/filter/ww8/ww8par2.cxx b/sw/source/filter/ww8/ww8par2.cxx
index 4fb74703ee2b..a2c8bc832ab8 100644
--- a/sw/source/filter/ww8/ww8par2.cxx
+++ b/sw/source/filter/ww8/ww8par2.cxx
@@ -2753,8 +2753,17 @@ void WW8TabDesc::FinishSwTable()
{
m_pIo->m_xRedlineStack->closeall(*m_pIo->m_pPaM->GetPoint());
m_pIo->m_aFrameRedlines.emplace(std::move(m_pIo->m_xRedlineStack));
+
+ // ofz#38011 drop m_pLastAnchorPos during RedlineStack dtor and restore it
afterwards to the same
+ // place, or somewhere close if that place got destroyed
+ std::shared_ptr<SwUnoCursor> xLastAnchorCursor(m_pIo->m_pLastAnchorPos ?
m_pIo->m_rDoc.CreateUnoCursor(*m_pIo->m_pLastAnchorPos) : nullptr);
+ m_pIo->m_pLastAnchorPos.reset();
+
m_pIo->m_xRedlineStack = std::move(mxOldRedlineStack);
+ if (xLastAnchorCursor)
+ m_pIo->m_pLastAnchorPos.reset(new
SwPosition(*xLastAnchorCursor->GetPoint()));
+
WW8DupProperties aDup(m_pIo->m_rDoc,m_pIo->m_xCtrlStck.get());
m_pIo->m_xCtrlStck->SetAttr( *m_pIo->m_pPaM->GetPoint(), 0, false);
commit 890e1f782f06dd2c55092de3eabe5114edee78bf
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Aug 29 16:58:11 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:57:03 2021 +0100
ofz#37796 limit to numeric_limits<int>::max
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/121230
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 72da4c623baf60eb2b7073697cd36ffb3022847d)
Change-Id: I6e09226fad1e566ba2758d0084042b603b84d221
diff --git a/include/vcl/BitmapTools.hxx b/include/vcl/BitmapTools.hxx
index 3652bb849bf4..7c076a451a69 100644
--- a/include/vcl/BitmapTools.hxx
+++ b/include/vcl/BitmapTools.hxx
@@ -20,6 +20,7 @@
#include <basegfx/range/b2drectangle.hxx>
#include <o3tl/safeint.hxx>
#include <array>
+#include <limits>
class SvStream;
namespace basegfx { class B2DHomMatrix; }
@@ -51,6 +52,10 @@ public:
mnBitCount(nBitCount)
{
assert(nBitCount == 24 || nBitCount == 32);
+ if (rSize.getWidth() > std::numeric_limits<sal_Int32>::max() ||
rSize.getWidth() < 0)
+ throw std::bad_alloc();
+ if (rSize.getHeight() > std::numeric_limits<sal_Int32>::max() ||
rSize.getHeight() < 0)
+ throw std::bad_alloc();
sal_Int32 nRowSize, nDataSize;
if (o3tl::checked_multiply<sal_Int32>(rSize.getWidth(), nBitCount/8,
nRowSize) ||
o3tl::checked_multiply<sal_Int32>(nRowSize, rSize.getHeight(),
nDataSize) ||
commit fcedd7647613a614b9d8fdcb7b927e45252f08c1
Author: Caolán McNamara <[email protected]>
AuthorDate: Wed Aug 18 16:57:18 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:57 2021 +0100
ofz#37322 Bad-cast
use a SwUnoCursor for the LastAnchorPos around here, this is similar to
ofz#9858 Bad-cast
Change-Id: I194a39ae13c382740b0ba8145dcc33fb2107105d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120679
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit c1cd505c67a53a0a27589889b34641612d10946d)
diff --git a/sw/qa/core/data/ww5/pass/ooo37322-1-WW2.doc
b/sw/qa/core/data/ww5/pass/ooo37322-1-WW2.doc
new file mode 100644
index 000000000000..fd64eeed2963
Binary files /dev/null and b/sw/qa/core/data/ww5/pass/ooo37322-1-WW2.doc differ
diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx
index 2dca982deeff..9510742478a9 100644
--- a/sw/source/filter/ww8/ww8par.cxx
+++ b/sw/source/filter/ww8/ww8par.cxx
@@ -2081,8 +2081,17 @@ void WW8ReaderSave::Restore( SwWW8ImplReader* pRdr )
pRdr->m_xRedlineStack->closeall(*pRdr->m_pPaM->GetPoint());
pRdr->m_aFrameRedlines.emplace(std::move(pRdr->m_xRedlineStack));
+
+ // ofz#37322 drop m_pLastAnchorPos during RedlineStack dtor and restore it
afterwards to the same
+ // place, or somewhere close if that place got destroyed
+ std::shared_ptr<SwUnoCursor> xLastAnchorCursor(pRdr->m_pLastAnchorPos ?
pRdr->m_rDoc.CreateUnoCursor(*pRdr->m_pLastAnchorPos) : nullptr);
+ pRdr->m_pLastAnchorPos.reset();
+
pRdr->m_xRedlineStack = std::move(mxOldRedlines);
+ if (xLastAnchorCursor)
+ pRdr->m_pLastAnchorPos.reset(new
SwPosition(*xLastAnchorCursor->GetPoint()));
+
pRdr->DeleteAnchorStack();
pRdr->m_xAnchorStck = std::move(mxOldAnchorStck);
commit a0e4d6bb1916b3ce9586786f69309ea8eb74a830
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri Jul 16 12:45:21 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:53 2021 +0100
crashtesting: UaF on layout of fdo53985-1.docx
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/119060
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit ceb32f59d96a17c3007ed883fb44bc880673c8e0)
Change-Id: Id8ca0d277f485347e21bd8d6d68de2a7de13de48
diff --git a/sw/source/core/inc/layact.hxx b/sw/source/core/inc/layact.hxx
index 3e6ded269bd4..5a00382995f9 100644
--- a/sw/source/core/inc/layact.hxx
+++ b/sw/source/core/inc/layact.hxx
@@ -68,6 +68,9 @@ class SwLayAction
std::unique_ptr<SwWait> m_pWait;
+ std::vector<SwFrame*> m_aFrameStack;
+ std::vector<std::unique_ptr<SwFrameDeleteGuard>> m_aFrameDeleteGuards;
+
// If a paragraph (or anything else) moved more than one page when
// formatting, it adds its new page number here.
// The InternalAction can then take the appropriate steps.
@@ -124,6 +127,9 @@ class SwLayAction
bool RemoveEmptyBrowserPages();
+ void PushFormatLayout(SwFrame* pLow);
+ void PopFormatLayout();
+
public:
SwLayAction(SwRootFrame *pRt, SwViewShellImp *pImp, TaskStopwatch* pWatch
= nullptr);
~SwLayAction();
@@ -148,7 +154,7 @@ public:
void SetReschedule ( bool bNew ) { m_bReschedule = bNew; }
void SetWaitAllowed ( bool bNew ) { m_bWaitAllowed = bNew; }
- void SetAgain(bool bAgain) { m_bAgain = bAgain; }
+ void SetAgain(bool bAgain);
void SetUpdateExpFields() {m_bUpdateExpFields = true; }
inline void SetCheckPageNum( sal_uInt16 nNew );
diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx
index 09069261cf71..33b1ae277180 100644
--- a/sw/source/core/layout/layact.cxx
+++ b/sw/source/core/layout/layact.cxx
@@ -319,6 +319,53 @@ bool SwLayAction::RemoveEmptyBrowserPages()
return bRet;
}
+void SwLayAction::SetAgain(bool bAgain)
+{
+ if (bAgain == m_bAgain)
+ return;
+
+ m_bAgain = bAgain;
+
+ assert(m_aFrameStack.size() == m_aFrameDeleteGuards.size());
+ size_t nCount = m_aFrameStack.size();
+ if (m_bAgain)
+ {
+ // LayAction::FormatLayout is now flagged to exit early and will avoid
+ // dereferencing any SwFrames in the stack of FormatLayouts so allow
+ // their deletion
+ for (size_t i = 0; i < nCount; ++i)
+ m_aFrameDeleteGuards[i].reset();
+ }
+ else
+ {
+ // LayAction::FormatLayout is now continue normally and will
+ // dereference the top SwFrame in the stack of m_aFrameStack as each
+ // FormatLevel returns so disallow their deletion
+ for (size_t i = 0; i < nCount; ++i)
+ m_aFrameDeleteGuards[i] =
std::make_unique<SwFrameDeleteGuard>(m_aFrameStack[i]);
+ }
+}
+
+void SwLayAction::PushFormatLayout(SwFrame* pLow)
+{
+ /* Workaround crash seen in crashtesting with fdo53985-1.docx
+
+ Lock pLow against getting deleted when it will be dereferenced
+ after FormatLayout
+
+ If SetAgain is called to make SwLayAction exit early to avoid that
+ dereference, then it clears these guards
+ */
+ m_aFrameStack.push_back(pLow);
+ m_aFrameDeleteGuards.push_back(std::make_unique<SwFrameDeleteGuard>(pLow));
+}
+
+void SwLayAction::PopFormatLayout()
+{
+ m_aFrameDeleteGuards.pop_back();
+ m_aFrameStack.pop_back();
+}
+
void SwLayAction::Action(OutputDevice* pRenderContext)
{
m_bActionInProgress = true;
@@ -1374,7 +1421,11 @@ bool SwLayAction::FormatLayout( OutputDevice
*pRenderContext, SwLayoutFrame *pLa
}
// Skip the ones already registered for deletion
else if( !pLow->IsSctFrame() ||
static_cast<SwSectionFrame*>(pLow)->GetSection() )
+ {
+ PushFormatLayout(pLow);
bChanged |= FormatLayout( pRenderContext,
static_cast<SwLayoutFrame*>(pLow), bAddRect );
+ PopFormatLayout();
+ }
}
else if ( m_pImp->GetShell()->IsPaintLocked() )
// Shortcut to minimize the cycles. With Lock, the
commit 3bae2069056e3fce6fe8f77f599ffe512dc4eb3f
Author: Caolán McNamara <[email protected]>
AuthorDate: Thu Jul 15 14:13:35 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:47 2021 +0100
Only change SwLayAction::m_bAgain via SetAgain
no logic change intended
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118983
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 3a5383892e1f0e22558cd56cb77d56a09c515b7a)
Change-Id: Ib0174f8040faa3efde7b9c5ba9b062bac5a35da3
diff --git a/sw/source/core/inc/layact.hxx b/sw/source/core/inc/layact.hxx
index 990c0e4b88f0..3e6ded269bd4 100644
--- a/sw/source/core/inc/layact.hxx
+++ b/sw/source/core/inc/layact.hxx
@@ -148,7 +148,7 @@ public:
void SetReschedule ( bool bNew ) { m_bReschedule = bNew; }
void SetWaitAllowed ( bool bNew ) { m_bWaitAllowed = bNew; }
- void SetAgain() { m_bAgain = true; }
+ void SetAgain(bool bAgain) { m_bAgain = bAgain; }
void SetUpdateExpFields() {m_bUpdateExpFields = true; }
inline void SetCheckPageNum( sal_uInt16 nNew );
diff --git a/sw/source/core/layout/layact.cxx b/sw/source/core/layout/layact.cxx
index 04201e1c6f5e..09069261cf71 100644
--- a/sw/source/core/layout/layact.cxx
+++ b/sw/source/core/layout/layact.cxx
@@ -282,11 +282,12 @@ bool SwLayAction::IsInterrupt()
void SwLayAction::Reset()
{
+ SetAgain(false);
m_pOptTab = nullptr;
m_nStartTicks = std::clock();
m_nEndPage = m_nPreInvaPage = m_nCheckPageNum = USHRT_MAX;
m_bPaint = m_bComplete = m_bWaitAllowed = m_bCheckPages = true;
- m_bInterrupt = m_bAgain = m_bNextCycle = m_bCalcLayout = m_bReschedule =
+ m_bInterrupt = m_bNextCycle = m_bCalcLayout = m_bReschedule =
m_bUpdateExpFields = m_bBrowseActionStop = false;
m_pCurPage = nullptr;
}
@@ -344,12 +345,15 @@ void SwLayAction::Action(OutputDevice* pRenderContext)
SetCheckPages( false );
InternalAction(pRenderContext);
- m_bAgain |= RemoveEmptyBrowserPages();
+ if (RemoveEmptyBrowserPages())
+ SetAgain(true);
while ( IsAgain() )
{
- m_bAgain = m_bNextCycle = false;
+ SetAgain(false);
+ m_bNextCycle = false;
InternalAction(pRenderContext);
- m_bAgain |= RemoveEmptyBrowserPages();
+ if (RemoveEmptyBrowserPages())
+ SetAgain(true);
}
m_pRoot->DeleteEmptySct();
@@ -637,7 +641,7 @@ void SwLayAction::InternalAction(OutputDevice*
pRenderContext)
{
bool bOld = IsAgain();
m_pRoot->RemoveSuperfluous();
- m_bAgain = bOld;
+ SetAgain(bOld);
}
if ( IsAgain() )
{
diff --git a/sw/source/core/layout/objectformattertxtfrm.cxx
b/sw/source/core/layout/objectformattertxtfrm.cxx
index 1ba020a84901..3e99cfd32bc9 100644
--- a/sw/source/core/layout/objectformattertxtfrm.cxx
+++ b/sw/source/core/layout/objectformattertxtfrm.cxx
@@ -293,7 +293,7 @@ bool SwObjectFormatterTextFrame::DoFormatObjs()
{
// notify layout action, thus is can restart the layout process on
// a previous page.
- GetLayAction()->SetAgain();
+ GetLayAction()->SetAgain(true);
}
else
{
diff --git a/sw/source/core/layout/pagechg.cxx
b/sw/source/core/layout/pagechg.cxx
index 4f8ca7f585bc..867617682f50 100644
--- a/sw/source/core/layout/pagechg.cxx
+++ b/sw/source/core/layout/pagechg.cxx
@@ -284,7 +284,7 @@ void SwPageFrame::DestroyImpl()
SwViewShellImp *pImp = pSh->Imp();
pImp->SetFirstVisPageInvalid();
if ( pImp->IsAction() )
- pImp->GetLayAction().SetAgain();
+ pImp->GetLayAction().SetAgain(true);
// #i9719# - retouche area of page
// including border and shadow area.
const bool bRightSidebar = (SidebarPosition() ==
sw::sidebarwindows::SidebarPosition::RIGHT);
commit 7514f540c49372e049c166a1553e34de0d9976c9
Author: Caolán McNamara <[email protected]>
AuthorDate: Mon Jul 12 16:21:04 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:42 2021 +0100
crashtesting: UaF on layout of ooo98566-1.odt
in:
sw/source/core/text/itrform2.cxx:2643 SwTextFormatter::NewFlyCntPortion
at: pFly = static_cast<SwTextFlyCnt*>(pHint)->GetFlyFrame(pFrame)
(gdb) print m_pCurr
$2 = (SwLineLayout *) 0x55ea220a0020
after calling GetFlyFrame m_pCurr is unchanged and we will call
m_pCurr->MaxAscentDescent
on it.
But m_pCurr is deleted during GetFlyFrame by...
#18 0x00007f98c5cd337f in SwLineLayout::~SwLineLayout()
(this=this@entry=0x55ea220a0020, __in_chrg=<optimized out>)
at source/libo-core/sw/source/core/text/portxt.hxx:26
#19 0x00007f98c5cd347a in SwParaPortion::~SwParaPortion()
(this=0x55ea220a0020, __in_chrg=<optimized out>)
at source/libo-core/sw/source/core/text/porlay.cxx:2491
#20 0x00007f98c5cd3485 in SwParaPortion::~SwParaPortion()
(this=0x55ea220a0020, __in_chrg=<optimized out>)
at source/libo-core/sw/source/core/text/porlay.cxx:2491
#21 0x00007f98c5d05e70 in
std::default_delete<SwParaPortion>::operator()(SwParaPortion*) const
(__ptr=<optimized out>, this=<optimized out>)
at /usr/include/c++/8/bits/unique_ptr.h:75
#22 0x00007f98c5d05e70 in std::unique_ptr<SwParaPortion,
std::default_delete<SwParaPortion> >::reset(SwParaPortion*)
(__p=<optimized out>, this=<optimized out>) at
/usr/include/c++/8/bits/unique_ptr.h:382
#23 0x00007f98c5d05e70 in SwTextLine::SetPara(SwParaPortion*, bool)
(bDelete=true, pNew=0x0, this=<optimized out>)
at source/libo-core/sw/source/core/text/txtcache.hxx:45
#24 0x00007f98c5d05e70 in SwTextFrame::ClearPara()
(this=this@entry=0x55ea21302b60) at
source/libo-core/sw/source/core/text/txtcache.cxx:113
#25 0x00007f98c5d1be89 in SwTextFrame::Init()
(this=this@entry=0x55ea21302b60) at
source/libo-core/sw/source/core/text/txtfrm.cxx:757
#26 0x00007f98c5d2630c in SwTextFrame::Prepare(PrepareHint, void const*,
bool)
(this=0x55ea21302b60, ePrep=PrepareHint::FlyFrameArrive,
pVoid=<optimized out>, bNotify=<optimized out>)
at source/libo-core/sw/source/core/text/txtfrm.cxx:3086
#27 0x00007f98c5b1edb8 in
SwFlyInContentFrame::NotifyBackground(SwPageFrame*, SwRect const&, PrepareHint)
(this=<optimized out>, rRect=..., eHint=<optimized out>) at
source/libo-core/sw/inc/anchoredobject.hxx:205
#28 0x00007f98c5b261a6 in Notify(SwFlyFrame*, SwPageFrame*, SwRect const&,
SwRect const*)
(pFly=pFly@entry=0x55ea21a18d60, pOld=0x0, rOld=SwRect = {...},
pOldPrt=pOldPrt@entry=0x7ffeb50390f8)
at source/libo-core/sw/source/core/inc/frame.hxx:1177
#29 0x00007f98c5b2ceca in SwFlyNotify::~SwFlyNotify()
(this=0x7ffeb50390d0, __in_chrg=<optimized out>)
at source/libo-core/sw/source/core/layout/frmtool.cxx:648
#30 0x00007f98c5b1fa25 in SwFlyInContentFrame::MakeAll(OutputDevice*)
(this=0x55ea21a18d60)
at source/libo-core/sw/source/core/inc/frmtool.hxx:419
#31 0x00007f98c5aec3a9 in SwFrame::PrepareMake(OutputDevice*)
(this=0x55ea21a18d60, pRenderContext=0x55ea212bc4c0)
at source/libo-core/sw/source/core/layout/calcmove.cxx:375
#32 0x00007f98c5b17ad2 in SwFlyFrame::Calc(OutputDevice*) const
(this=<optimized out>, pRenderContext=<optimized out>)
at source/libo-core/sw/source/core/layout/fly.cxx:2890
#33 0x00007f98c5b636c5 in SwObjectFormatter::FormatLayout_(SwLayoutFrame&)
(this=this@entry=0x55ea2244d150, _rLayoutFrame=...)
at source/libo-core/include/rtl/ref.hxx:206
#34 0x00007f98c5b6413e in SwObjectFormatter::FormatObj_(SwAnchoredObject&)
(this=this@entry=0x55ea2244d150, _rAnchoredObj=...)
at source/libo-core/sw/source/core/layout/objectformatter.cxx:296
#35 0x00007f98c5b6705b in
SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject&, bool)
(this=0x55ea2244d150, _rAnchoredObj=..., _bCheckForMovedFwd=<optimized
out>)
at source/libo-core/sw/source/core/layout/objectformattertxtfrm.cxx:136
#36 0x00007f98c5b6359f in SwObjectFormatter::FormatObj(SwAnchoredObject&,
SwFrame*, SwPageFrame const*)
(_rAnchoredObj=..., _pAnchorFrame=<optimized out>,
_pPageFrame=<optimized out>)
at source/libo-core/sw/source/core/layout/objectformatter.cxx:190
#37 0x00007f98c5d717aa in SwTextFlyCnt::GetFlyFrame_(SwFrame const*)
(this=this@entry=0x55ea214d8810, pCurrFrame=pCurrFrame@entry=0x55ea21302b60)
at source/libo-core/sw/source/core/inc/frame.hxx:1177
#38 0x00007f98c5cb511b in SwTextFlyCnt::GetFlyFrame(SwFrame const*)
(pCurrFrame=0x55ea21302b60, this=0x55ea214d8810)
at source/libo-core/sw/inc/txtflcnt.hxx:48
#39 0x00007f98c5cb511b in
SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const
(this=this@entry=0x7ffeb503a6b0, rInf=..., pHint=0x55ea214d8810) at
source/libo-core/sw/source/core/text/itrform2.cxx:2643
(gdb) print this
(SwLinePortion * const) 0x55ea220a0020
The SwTextFrame of SwTextFrame::ClearPara is the same pFrame/m_pFrame at
SwTextFormatter::NewFlyCntPortion
ClearPara is not called if the SwTextFrame is "Locked", so try using that
to protect GetFlyFrame
Change-Id: Ia9dcb1f345f6953d995f2acf1ec23492d1680364
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118784
Tested-by: Jenkins
Tested-by: Caolán McNamara <[email protected]>
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 7e016df70d4ceb6c90ec5f1b129b50a65ff07505)
diff --git a/sw/source/core/text/itrform2.cxx b/sw/source/core/text/itrform2.cxx
index 4e57a0b64d90..6e037088fa6e 100644
--- a/sw/source/core/text/itrform2.cxx
+++ b/sw/source/core/text/itrform2.cxx
@@ -2495,7 +2495,11 @@ SwFlyCntPortion *SwTextFormatter::NewFlyCntPortion(
SwTextFormatInfo &rInf,
SwFlyInContentFrame *pFly;
SwFrameFormat* pFrameFormat =
static_cast<SwTextFlyCnt*>(pHint)->GetFlyCnt().GetFrameFormat();
if( RES_FLYFRMFMT == pFrameFormat->Which() )
+ {
+ // set Lock pFrame to avoid m_pCurr getting deleted
+ TextFrameLockGuard aGuard(m_pFrame);
pFly = static_cast<SwTextFlyCnt*>(pHint)->GetFlyFrame(pFrame);
+ }
else
pFly = nullptr;
// aBase is the document-global position, from which the new extra portion
is placed
commit af5ae19fe70aafd1be9ddaba692a7664219b53f9
Author: Caolán McNamara <[email protected]>
AuthorDate: Thu Jul 1 14:56:45 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:37 2021 +0100
ofz#34749 don't remove trailing paragraph if something got anchored to it
Change-Id: Ic6eec2f9829c415abd4f2628bc51efbf98f918fb
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/118228
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit e803875fbb86b24b39fcd9adcf7df40ed255ea8f)
diff --git a/sw/qa/core/data/ww8/pass/ofz34749-1.doc
b/sw/qa/core/data/ww8/pass/ofz34749-1.doc
new file mode 100644
index 000000000000..d657a71b5245
Binary files /dev/null and b/sw/qa/core/data/ww8/pass/ofz34749-1.doc differ
diff --git a/sw/source/filter/ww8/ww8par.hxx b/sw/source/filter/ww8/ww8par.hxx
index cf90848fc619..483d0b6ce470 100644
--- a/sw/source/filter/ww8/ww8par.hxx
+++ b/sw/source/filter/ww8/ww8par.hxx
@@ -925,6 +925,14 @@ public:
explicit wwExtraneousParas(SwDoc &rDoc) : m_rDoc(rDoc) {}
~wwExtraneousParas() { delete_all_from_doc(); }
void insert(SwTextNode *pTextNode) { m_aTextNodes.insert(pTextNode); }
+ void check_anchor_destination(SwTextNode *pTextNode)
+ {
+ auto it = m_aTextNodes.find(pTextNode);
+ if (it == m_aTextNodes.end())
+ return;
+ SAL_WARN("sw.ww8", "It is unexpected to anchor something in a para
scheduled for removal");
+ m_aTextNodes.erase(it);
+ }
void delete_all_from_doc();
};
diff --git a/sw/source/filter/ww8/ww8par6.cxx b/sw/source/filter/ww8/ww8par6.cxx
index 0c6b89b1bd5a..cb15bbd96aa4 100644
--- a/sw/source/filter/ww8/ww8par6.cxx
+++ b/sw/source/filter/ww8/ww8par6.cxx
@@ -2455,6 +2455,9 @@ bool SwWW8ImplReader::StartApo(const ApoTestResults
&rApo, const WW8_TablePos *p
}
else
{
+ // ofz#34749 we shouldn't anchor anything into an 'extra'
paragraph scheduled for
+ // removal at end of import, but check if that scenario is
happening
+
m_aExtraneousParas.check_anchor_destination(m_pPaM->GetNode().GetTextNode());
m_xSFlyPara->pFlyFormat =
m_rDoc.MakeFlySection(WW8SwFlyPara::eAnchor,
m_pPaM->GetPoint(), &aFlySet);
OSL_ENSURE(m_xSFlyPara->pFlyFormat->GetAnchor().GetAnchorId() ==
commit 380e289dbbdbf91bf479817bad1b8ec53bc28bc9
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Jun 27 19:08:36 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:33 2021 +0100
ofz#35504 Integer-overflow
Change-Id: I7a462b821f286411d759b5259461fcdbf1741859
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/117955
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 228cb26a6a1afe668dd17471bedf0ab52f133d5a)
diff --git a/tools/source/generic/poly.cxx b/tools/source/generic/poly.cxx
index 0a597fdff1fc..b549f1cd65c1 100644
--- a/tools/source/generic/poly.cxx
+++ b/tools/source/generic/poly.cxx
@@ -251,7 +251,7 @@ ImplPolygon::ImplPolygon( const tools::Rectangle& rBound,
const Point& rStart, c
}
- if( ( nRadX > 32 ) && ( nRadY > 32 ) && ( nRadX + nRadY ) < 8192 )
+ if (nRadX > 32 && nRadY > 32 && o3tl::saturating_add(nRadX, nRadY) <
8192)
nPoints >>= 1;
// compute threshold
commit 806ab3d846208425856af0a40b6873d00992739f
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri Apr 2 14:28:37 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:27 2021 +0100
ofz: Segv on unknown address
Change-Id: I6c69375a89781fc0b87230203335c861efb562f9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113518
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 8de38977838d5a044271cb170730e3d557659f17)
diff --git a/sc/source/core/tool/compiler.cxx b/sc/source/core/tool/compiler.cxx
index 144ca95d4113..50e1276dbc21 100644
--- a/sc/source/core/tool/compiler.cxx
+++ b/sc/source/core/tool/compiler.cxx
@@ -2621,7 +2621,14 @@ Label_MaskStateMachine:
if (eState != ssSkipReference)
{
*pSym++ = c;
- *pSym++ = *pSrc++;
+
+ if( pSym == &cSymbol[ MAXSTRLEN ] )
+ {
+ SetError(
FormulaError::StringOverflow);
+ eState = ssStop;
+ }
+ else
+ *pSym++ = *pSrc++;
}
bAddToSymbol = false;
}
commit 25c8c62af75b6d2c1226c25ccd438c385df52c8b
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri Apr 3 16:35:36 2020 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:22 2021 +0100
crashtesting: crash on reexport of tdf118346-1.odg to odg
make a copy of m_pImpGraphicList because if we swap out a svg, the svg
filter
may create more temp Graphics which are auto-added to m_pImpGraphicList
invalidating a loop over m_pImpGraphicList
#0 0x00007ffff0d25ae5 in vcl::graphic::Manager::reduceGraphicMemory()
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:88
#1 0x00007ffff0d25ee9 in
vcl::graphic::Manager::registerGraphic(std::shared_ptr<ImpGraphic> const&,
rtl::OUString const&)
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>,
pImpGraphic=std::shared_ptr<ImpGraphic> (use count 1, weak count 0) = {...})
at vcl/source/graphic/Manager.cxx:139
#2 0x00007ffff0d26406 in vcl::graphic::Manager::newInstance()
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:184
#3 0x00007ffff0b6735c in Graphic::Graphic() (this=0x7fffffff84f0) at
vcl/source/gdi/graph.cxx:182
#4 0x00007fffdc526600 in
svgio::svgreader::SvgImageNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x555556817940, rTarget=...) at
svgio/source/svgreader/svgimagenode.cxx:219
#5 0x00007fffdc52e75d in
svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a6a93d0, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svgnode.cxx:529
#6 0x00007fffdc522339 in
svgio::svgreader::SvgGNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a6a93d0, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svggnode.cxx:106
#7 0x00007fffdc52e75d in
svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a6a9070, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svgnode.cxx:529
#8 0x00007fffdc522339 in
svgio::svgreader::SvgGNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a6a9070, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svggnode.cxx:106
#9 0x00007fffdc52e75d in
svgio::svgreader::SvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a5f9150, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svgnode.cxx:529
#10 0x00007fffdc54d19f in
svgio::svgreader::SvgSvgNode::decomposeSvgNode(drawinglayer::primitive2d::Primitive2DContainer&,
bool) const
(this=0x55555a5f9150, rTarget=..., bReferenced=false) at
svgio/source/svgreader/svgsvgnode.cxx:304
#11 0x00007fffdc571373 in svgio::svgreader::(anonymous
namespace)::XSvgParser::getDecomposition(com::sun::star::uno::Reference<com::sun::star::io::XInputStream>
const&, rtl::OUString const&) (this=0x55555a69c6d0, xSVGStream=uno::Reference
to (comphelper::SequenceInputStream *) 0x555557480668, aAbsolutePath="")
at svgio/source/svguno/xsvgparser.cxx:160
#12 0x00007ffff0cf849b in VectorGraphicData::ensureSequenceAndRange()
(this=0x555556ea7540)
at vcl/source/gdi/vectorgraphicdata.cxx:196
#13 0x00007ffff0cf9124 in VectorGraphicData::getRange() const
(this=0x555556ea7540)
at vcl/source/gdi/vectorgraphicdata.cxx:323
#14 0x00007ffff0b74da7 in ImpGraphic::ImplGetPrefSize() const
(this=0x5555588b00f0) at vcl/source/gdi/impgraph.cxx:778
#15 0x00007ffff0b76623 in ImpGraphic::ImplWriteEmbedded(SvStream&)
(this=0x5555588b00f0, rOStm=...)
at vcl/source/gdi/impgraph.cxx:1235
#16 0x00007ffff0b770a1 in ImpGraphic::ImplSwapOut(SvStream*)
(this=0x5555588b00f0, xOStm=0x55555826b7d0)
at vcl/source/gdi/impgraph.cxx:1377
#17 0x00007ffff0b76bdb in ImpGraphic::ImplSwapOut() (this=0x5555588b00f0)
at vcl/source/gdi/impgraph.cxx:1328
#18 0x00007ffff0d25c88 in vcl::graphic::Manager::reduceGraphicMemory()
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:107
#19 0x00007ffff0d25ee9 in
vcl::graphic::Manager::registerGraphic(std::shared_ptr<ImpGraphic> const&,
rtl::OUString const&)
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>,
pImpGraphic=std::shared_ptr<ImpGraphic> (use count 1, weak count 0) = {...})
at vcl/source/graphic/Manager.cxx:139
#20 0x00007ffff0d26406 in vcl::graphic::Manager::newInstance()
(this=0x7ffff1bc4760 <vcl::graphic::Manager::get()::gStaticManager>)
at vcl/source/graphic/Manager.cxx:184
#21 0x00007ffff0b6735c in Graphic::Graphic() (this=0x555556d5ea68) at
vcl/source/gdi/graph.cxx:182
Change-Id: I4e1ffcb12ead0d53b7ca2f369154e9c753af77d8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/91650
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 6fa2891da4852716fe62d925ffdbeeb380a2ed66)
diff --git a/vcl/source/graphic/Manager.cxx b/vcl/source/graphic/Manager.cxx
index 1be52a7e987c..cb7e483f4aed 100644
--- a/vcl/source/graphic/Manager.cxx
+++ b/vcl/source/graphic/Manager.cxx
@@ -84,7 +84,12 @@ void Manager::reduceGraphicMemory()
std::scoped_lock<std::recursive_mutex> aGuard(maMutex);
- for (ImpGraphic* pEachImpGraphic : m_pImpGraphicList)
+ // make a copy of m_pImpGraphicList because if we swap out a svg, the svg
+ // filter may create more temp Graphics which are auto-added to
+ // m_pImpGraphicList invalidating a loop over m_pImpGraphicList, e.g.
+ // reexport of tdf118346-1.odg
+ auto const aImpGraphicList = m_pImpGraphicList;
+ for (ImpGraphic* pEachImpGraphic : aImpGraphicList)
{
if (mnUsedSize < mnMemoryLimit * 0.7)
return;
commit a292d340a7b236edbc860a9e80d93fda1c4b3c60
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri Mar 19 14:11:45 2021 +0000
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:15 2021 +0100
cid#1473818 Use after free
Change-Id: Idd74e0debd12e42ff97d79b56e76cde6fd98aa2c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/112745
Tested-by: Caolán McNamara <[email protected]>
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 236f3a8e60e05147a37f294774b0c07d40aff36f)
diff --git a/vcl/unx/generic/printer/cpdmgr.cxx
b/vcl/unx/generic/printer/cpdmgr.cxx
index cae2a4e1ab03..d114dd71accd 100644
--- a/vcl/unx/generic/printer/cpdmgr.cxx
+++ b/vcl/unx/generic/printer/cpdmgr.cxx
@@ -40,11 +40,11 @@ void CPDManager::onNameAcquired (GDBusConnection
*connection,
gpointer user_data)
{
gchar* contents;
- GDBusNodeInfo *introspection_data;
-
// Get Interface for introspection
- g_file_get_contents (FRONTEND_INTERFACE, &contents, nullptr, nullptr);
- introspection_data = g_dbus_node_info_new_for_xml (contents, nullptr);
+ if (!g_file_get_contents (FRONTEND_INTERFACE, &contents, nullptr, nullptr))
+ return;
+
+ GDBusNodeInfo *introspection_data = g_dbus_node_info_new_for_xml
(contents, nullptr);
g_dbus_connection_register_object (connection,
"/org/libreoffice/PrintDialog",
@@ -60,28 +60,29 @@ void CPDManager::onNameAcquired (GDBusConnection
*connection,
std::vector<std::pair<std::string, gchar*>> backends =
current->getTempBackends();
for (auto const& backend : backends)
{
- GDBusProxy *proxy;
// Get Interface for introspection
- g_file_get_contents (BACKEND_INTERFACE, &contents, nullptr, nullptr);
- introspection_data = g_dbus_node_info_new_for_xml (contents, nullptr);
- proxy = g_dbus_proxy_new_sync (connection,
- G_DBUS_PROXY_FLAGS_NONE,
- introspection_data->interfaces[0],
- backend.first.c_str(),
- backend.second,
- "org.openprinting.PrintBackend",
- nullptr,
- nullptr);
+ if (g_file_get_contents(BACKEND_INTERFACE, &contents, nullptr,
nullptr))
+ {
+ introspection_data = g_dbus_node_info_new_for_xml (contents,
nullptr);
+ GDBusProxy *proxy = g_dbus_proxy_new_sync (connection,
+ G_DBUS_PROXY_FLAGS_NONE,
+ introspection_data->interfaces[0],
+ backend.first.c_str(),
+ backend.second,
+ "org.openprinting.PrintBackend",
+ nullptr,
+ nullptr);
+ g_assert (proxy != nullptr);
+ g_dbus_proxy_call(proxy, "ActivateBackend",
+ nullptr,
+ G_DBUS_CALL_FLAGS_NONE,
+ -1, nullptr, nullptr, nullptr);
+
+ g_free(contents);
+ g_object_unref(proxy);
+ g_dbus_node_info_unref(introspection_data);
+ }
g_free(backend.second);
- g_assert (proxy != nullptr);
- g_dbus_proxy_call(proxy, "ActivateBackend",
- nullptr,
- G_DBUS_CALL_FLAGS_NONE,
- -1, nullptr, nullptr, nullptr);
-
- g_free(contents);
- g_object_unref(proxy);
- g_dbus_node_info_unref(introspection_data);
}
}
commit bab84fd13023d03664d8d392c6015bc826d859ed
Author: Stephan Bergmann <[email protected]>
AuthorDate: Tue Mar 9 15:52:21 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:09 2021 +0100
Avoid signed-integer-overflow parsing table:cell-range-address="PivotChart"
...as happens during UITest_chart
UITEST_TEST_NAME=tdf107097.tdf107097.test_tdf107097 ever since
86b192965ee8d625092b723337f6a65bdf34dcb7 "tdf#107097: sc: Add UItest" added
that
test (see <https://ci.libreoffice.org/job/lo_ubsan/1919/>),
> /chart2/source/tools/XMLRangeHelper.cxx:136:52: runtime error: signed
integer overflow: 15 * 308915776 cannot be represented in type 'int'
> #0 0x2ad74a554918 in (anonymous
namespace)::lcl_getSingleCellAddressFromXMLString(rtl::OUString const&, int,
int, chart::XMLRangeHelper::Cell&)
/chart2/source/tools/XMLRangeHelper.cxx:136:52
> #1 0x2ad74a553482 in (anonymous
namespace)::lcl_getCellAddressFromXMLString(rtl::OUString const&, int, int,
chart::XMLRangeHelper::Cell&, rtl::OUString&)
/chart2/source/tools/XMLRangeHelper.cxx:217:13
> #2 0x2ad74a5505da in (anonymous
namespace)::lcl_getCellRangeAddressFromXMLString(rtl::OUString const&, int,
int, chart::XMLRangeHelper::CellRange&)
/chart2/source/tools/XMLRangeHelper.cxx:253:19
> #3 0x2ad74a54fde1 in
chart::XMLRangeHelper::getCellRangeFromXMLString(rtl::OUString const&)
/chart2/source/tools/XMLRangeHelper.cxx:328:15
> #4 0x2ad74a2aed4d in
chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&)
/chart2/source/tools/InternalDataProvider.cxx:1227:39
> #5 0x2ad74a2b0164 in non-virtual thunk to
chart::InternalDataProvider::convertRangeFromXML(rtl::OUString const&)
/chart2/source/tools/InternalDataProvider.cxx
> #6 0x2ad6c4784257 in (anonymous
namespace)::lcl_ConvertRange(rtl::OUString const&,
com::sun::star::uno::Reference<com::sun::star::chart2::XChartDocument> const&)
/xmloff/source/chart/SchXMLPlotAreaContext.cxx:76:32
> #7 0x2ad6c4779a67 in SchXMLPlotAreaContext::startFastElement(int,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList>
const&) /xmloff/source/chart/SchXMLPlotAreaContext.cxx:233:34
> #8 0x2ad6c4c6328a in SvXMLImport::startFastElement(int,
com::sun::star::uno::Reference<com::sun::star::xml::sax::XFastAttributeList>
const&) /xmloff/source/core/xmlimp.cxx:797:15
> #9 0x2ad704988b78 in (anonymous
namespace)::Entity::startElement((anonymous namespace)::Event const*)
/sax/source/fastparser/fastparser.cxx:468:27
> #10 0x2ad70496f681 in
sax_fastparser::FastSaxParserImpl::consume((anonymous namespace)::EventList&)
/sax/source/fastparser/fastparser.cxx:1026:25
> #11 0x2ad70496c65f in
sax_fastparser::FastSaxParserImpl::parseStream(com::sun::star::xml::sax::InputSource
const&) /sax/source/fastparser/fastparser.cxx:870:22
> #12 0x2ad7049905d1 in
sax_fastparser::FastSaxParser::parseStream(com::sun::star::xml::sax::InputSource
const&) /sax/source/fastparser/fastparser.cxx:1482:13
> #13 0x2ad6c4c52b80 in
SvXMLImport::parseStream(com::sun::star::xml::sax::InputSource const&)
/xmloff/source/core/xmlimp.cxx:504:15
> #14 0x2ad749aafe1e in
chart::XMLFilter::impl_ImportStream(rtl::OUString const&, rtl::OUString const&,
com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&,
com::sun::star::uno::Reference<com::sun::star::lang::XMultiComponentFactory>
const&,
com::sun::star::uno::Reference<com::sun::star::document::XGraphicStorageHandler>
const&, com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet>
const&) /chart2/source/model/filter/XMLFilter.cxx:473:34
> #15 0x2ad749aa9f01 in
chart::XMLFilter::impl_Import(com::sun::star::uno::Reference<com::sun::star::lang::XComponent>
const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /chart2/source/model/filter/XMLFilter.cxx:375:35
> #16 0x2ad749aa0988 in
chart::XMLFilter::filter(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /chart2/source/model/filter/XMLFilter.cxx:221:13
> #17 0x2ad749c2c76e in
chart::ChartModel::impl_load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage>
const&) /chart2/source/model/main/ChartModel_Persistence.cxx:567:18
> #18 0x2ad749c30eea in
chart::ChartModel::loadFromStorage(com::sun::star::uno::Reference<com::sun::star::embed::XStorage>
const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&) /chart2/source/model/main/ChartModel_Persistence.cxx:759:5
> #19 0x2ad74244b977 in
OCommonEmbeddedObject::LoadDocumentFromStorage_Impl()
/embeddedobj/source/commonembedding/persistence.cxx:535:19
> #20 0x2ad7423d7bde in OCommonEmbeddedObject::SwitchStateTo_Impl(int)
/embeddedobj/source/commonembedding/embedobj.cxx:185:49
> #21 0x2ad7423e32ff in OCommonEmbeddedObject::changeState(int)
/embeddedobj/source/commonembedding/embedobj.cxx:453:13
> #22 0x2ad7424b7057 in
OCommonEmbeddedObject::getPreferredVisualRepresentation(long)
/embeddedobj/source/commonembedding/visobj.cxx:168:9
> #23 0x2ad67e08fdb6 in
comphelper::EmbeddedObjectContainer::GetGraphicReplacementStream(long,
com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&,
rtl::OUString*) /comphelper/source/container/embeddedobjectcontainer.cxx:1425:54
> #24 0x2ad6a447182c in
svt::EmbeddedObjectRef::GetGraphicReplacementStream(long,
com::sun::star::uno::Reference<com::sun::star::embed::XEmbeddedObject> const&,
rtl::OUString*) /svtools/source/misc/embedhlp.cxx:809:12
> #25 0x2ad6a446c7d4 in svt::EmbeddedObjectRef::GetGraphicStream(bool)
const /svtools/source/misc/embedhlp.cxx:616:23
> #26 0x2ad6a4469e58 in svt::EmbeddedObjectRef::GetReplacement(bool)
/svtools/source/misc/embedhlp.cxx:424:46
> #27 0x2ad6a446d4ea in svt::EmbeddedObjectRef::GetGraphic() const
/svtools/source/misc/embedhlp.cxx:453:54
> #28 0x2ad69d4a9470 in SdrOle2Obj::GetGraphic() const
/svx/source/svdraw/svdoole2.cxx:1635:33
> #29 0x2ad71b222d01 in
ScDrawTransferObj::ScDrawTransferObj(std::unique_ptr<SdrModel,
std::default_delete<SdrModel> >, ScDocShell*, TransferableObjectDescriptor
const&) /sc/source/ui/app/drwtrans.cxx:191:107
> #30 0x2ad71d7da932 in ScDrawView::DoCopy()
/sc/source/ui/view/drawvie4.cxx:364:56
> #31 0x2ad71c1fb75a in ScDrawShell::ExecDrawFunc(SfxRequest&)
/sc/source/ui/drawfunc/drawsh5.cxx:328:20
> #32 0x2ad71c1b181f in SfxStubScDrawShellExecDrawFunc(SfxShell*,
SfxRequest&) /workdir/SdiTarget/sc/sdi/scslots.hxx:2823:1
> #33 0x2ad68de39d05 in SfxShell::CallExec(void (*)(SfxShell*,
SfxRequest&), SfxRequest&) /include/sfx2/shell.hxx:197:35
> #34 0x2ad68ddd1214 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot
const&, SfxRequest&, bool) /sfx2/source/control/dispatch.cxx:253:16
> #35 0x2ad68dde721f in SfxDispatcher::Execute_(SfxShell&, SfxSlot
const&, SfxRequest&, SfxCallMode) /sfx2/source/control/dispatch.cxx:753:9
> #36 0x2ad68dd5edff in SfxBindings::Execute_Impl(SfxRequest&, SfxSlot
const*, SfxShell*) /sfx2/source/control/bindings.cxx:1060:22
> #37 0x2ad68e24a322 in
SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&,
com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener>
const&) /sfx2/source/control/unoctitm.cxx:758:53
> #38 0x2ad68e245261 in
SfxOfficeDispatch::dispatch(com::sun::star::util::URL const&,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&)
/sfx2/source/control/unoctitm.cxx:229:16
> #39 0x2ad67e465052 in comphelper::dispatchCommand(rtl::OUString
const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&,
com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&,
com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener>
const&) /comphelper/source/misc/dispatchcommand.cxx:61:12
> #40 0x2ad67e4657c5 in comphelper::dispatchCommand(rtl::OUString
const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
const&,
com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener>
const&) /comphelper/source/misc/dispatchcommand.cxx:76:12
> #41 0x2ad6b39a49a6 in UITest::executeCommand(rtl::OUString const&)
/vcl/source/uitest/uitest.cxx:24:12
> #42 0x2ad6b39b7240 in (anonymous
namespace)::UITestUnoObj::executeCommand(rtl::OUString const&)
/vcl/source/uitest/uno/uitest_uno.cxx:69:12
> #43 0x2ad6ee6508db in gcc3::callVirtualMethod(void*, unsigned int,
void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int,
unsigned long*, double*)
/bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:77:5
> #44 0x2ad6ee64abf2 in
cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*,
bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int,
_typelib_MethodParameter*, void*, void**, _uno_Any**)
/bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
> #45 0x2ad6ee64773d in unoInterfaceProxyDispatch
/bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:413:13
> #46 0x2ad6f3a7d2ca in
binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*,
std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>
>*) const /binaryurp/source/incomingrequest.cxx:235:13
Creating a pivot chart apparently generates XML output containing
<chart:plot-area table:cell-range-address="PivotChart" ...>
which does not conform to ODF, see the mail thread starting at
<https://lists.freedesktop.org/archives/libreoffice/2021-February/086884.html>
"Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn
computation" for details.
And, ignoring the signed-integer-overflow UB for now,
InternalDataProvider::convertRangeFromXML would always have returned an
empty
OUString for an input of aXMLRange="PivotChart":
chart::XMLRangeHelper::getCellRangeFromXMLString with
rXMLString="PivotChart"
calls lcl_getCellAddressFromXMLString with rXMLString="PivotChart",
nStartPos=0,
nEndPos=9, its leading while-loop mis-computes nDelimiterPos=nEndPos, so
calls
lcl_getCellAddressFromXMLString with rXMLString="PivotChart", nStartPos=0,
nEndPos=9, its leading while-loop mis-computes nDelimiterPos=nEndPos, so it
doesn't set rOutTableName, so lcl_getCellAddressFromXMLString returns
bResult=false, so chart::XMLRangeHelper::getCellRangeFromXMLString returns
an
empty CellRange().
So, similar to 9e5314f19c9dcff35b5cee5c5a1b7f744e495b2e "tdf#107097 invoke
internal DP and correctly handle 'range' names" added special handling of
aXMLRange values starting with "PT@" to
InternalDataProvider::convertRangeFromXML, also add explicit special
handling
for "PivotChart" (instead of relying on the later code returning an empty
string, but after invoking UB).
Change-Id: I1671f0ab3b3ab00dce8e348aa3b7141ebebaaad5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/112207
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <[email protected]>
(cherry picked from commit 6d43ba110084605462901bcee786c7ae4c1f3bdf)
diff --git a/chart2/source/tools/InternalDataProvider.cxx
b/chart2/source/tools/InternalDataProvider.cxx
index eec8280425b4..24d0c85b809b 100644
--- a/chart2/source/tools/InternalDataProvider.cxx
+++ b/chart2/source/tools/InternalDataProvider.cxx
@@ -1222,6 +1222,13 @@ OUString SAL_CALL
InternalDataProvider::convertRangeToXML( const OUString& aRang
OUString SAL_CALL InternalDataProvider::convertRangeFromXML( const OUString&
aXMLRange )
{
+ // Handle non-standards-conforming table:cell-range-address="PivotChart",
see
+ // <https://bugs.documentfoundation.org/show_bug.cgi?id=112783> "PIVOT
CHARTS: Save produces
+ // invalid file because of invalid cell address":
+ if (aXMLRange == "PivotChart") {
+ return "";
+ }
+
const OUString aPivotTableID("PT@");
if (aXMLRange.startsWith(aPivotTableID))
return aXMLRange.copy(aPivotTableID.getLength());
commit b89fd4bd6140980b7aba092b3061e604dce5f3bb
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Feb 28 18:53:55 2021 +0000
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:04 2021 +0100
ofz#31538 null-deref
Change-Id: I3264c0fd509e16cf4727847199f0be316d03d0e8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/111713
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 58f5c3b07701a14a61dc6b11f959faaf8aa98b9b)
diff --git a/sw/source/core/undo/undobj.cxx b/sw/source/core/undo/undobj.cxx
index fa86072a3008..3b1860ecc7c1 100644
--- a/sw/source/core/undo/undobj.cxx
+++ b/sw/source/core/undo/undobj.cxx
@@ -1558,9 +1558,14 @@ static bool IsNotBackspaceHeuristic(
SwPosition const& rStart, SwPosition const& rEnd)
{
// check if the selection is backspace/delete created by DelLeft/DelRight
- return rStart.nNode.GetIndex() + 1 != rEnd.nNode.GetIndex()
- || rEnd.nContent != 0
- || rStart.nContent != rStart.nNode.GetNode().GetTextNode()->Len();
+ if (rStart.nNode.GetIndex() + 1 != rEnd.nNode.GetIndex())
+ return true;
+ if (rEnd.nContent != 0)
+ return true;
+ const SwTextNode* pTextNode = rStart.nNode.GetNode().GetTextNode();
+ if (!pTextNode || rStart.nContent != pTextNode->Len())
+ return true;
+ return false;
}
bool IsDestroyFrameAnchoredAtChar(SwPosition const & rAnchorPos,
commit 91af895a465674ebc211965d55cce82ebe37dc46
Author: Caolán McNamara <[email protected]>
AuthorDate: Thu Jan 28 14:54:13 2021 +0000
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:56:00 2021 +0100
ofz#30005 crash in LwpFribPtr::XFConvert
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/110086
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 4e84a42add9c8ac27feb5e49a96e00ffcc8f0bc8)
Change-Id: I4f03c1cd8bc12f3fa09c815837b289ff088c91d3
diff --git a/lotuswordpro/source/filter/lwpfribptr.cxx
b/lotuswordpro/source/filter/lwpfribptr.cxx
index f1d9917de8bf..8eabe7099883 100644
--- a/lotuswordpro/source/filter/lwpfribptr.cxx
+++ b/lotuswordpro/source/filter/lwpfribptr.cxx
@@ -85,7 +85,8 @@
#include <lwpdropcapmgr.hxx>
LwpFribPtr::LwpFribPtr()
- : m_pFribs(nullptr),m_pXFPara(nullptr),m_pPara(nullptr)
+ : m_pFribs(nullptr)
+ , m_pPara(nullptr)
{
}
@@ -174,7 +175,7 @@ void LwpFribPtr::XFConvert()
case FRIB_TAG_TEXT:
{
LwpFribText* textFrib= static_cast<LwpFribText*>(pFrib);
- textFrib->XFConvert(m_pXFPara,m_pPara->GetStory());
+ textFrib->XFConvert(m_pXFPara.get(),m_pPara->GetStory());
}
break;
case FRIB_TAG_TAB:
@@ -246,7 +247,7 @@ void LwpFribPtr::XFConvert()
case FRIB_TAG_UNICODE3: //fall through
{
LwpFribUnicode* unicodeFrib= static_cast<LwpFribUnicode*>(pFrib);
- unicodeFrib->XFConvert(m_pXFPara,m_pPara->GetStory());
+ unicodeFrib->XFConvert(m_pXFPara.get(), m_pPara->GetStory());
}
break;
case FRIB_TAG_HARDSPACE:
@@ -255,15 +256,15 @@ void LwpFribPtr::XFConvert()
LwpStory *pStory = m_pPara->GetStory();
LwpHyperlinkMgr* pHyperlink = pStory ? pStory->GetHyperlinkMgr() :
nullptr;
if (pHyperlink && pHyperlink->GetHyperlinkFlag())
- pFrib->ConvertHyperLink(m_pXFPara,pHyperlink,sHardSpace);
+ pFrib->ConvertHyperLink(m_pXFPara.get(),
pHyperlink,sHardSpace);
else
- pFrib->ConvertChars(m_pXFPara,sHardSpace);
+ pFrib->ConvertChars(m_pXFPara.get(), sHardSpace);
}
break;
case FRIB_TAG_SOFTHYPHEN:
{
OUString sSoftHyphen(u'\x00ad');
- pFrib->ConvertChars(m_pXFPara,sSoftHyphen);
+ pFrib->ConvertChars(m_pXFPara.get(), sSoftHyphen);
}
break;
case FRIB_TAG_FRAME:
@@ -275,64 +276,64 @@ void LwpFribPtr::XFConvert()
LwpFoundry* pFoundry = m_pPara->GetFoundry();
LwpDropcapMgr* pMgr = pFoundry ? pFoundry->GetDropcapMgr() :
nullptr;
if (pMgr)
- pMgr->SetXFPara(m_pXFPara);
+ pMgr->SetXFPara(m_pXFPara.get());
}
- frameFrib->XFConvert(m_pXFPara);
+ frameFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_CHBLOCK:
{
LwpFribCHBlock* chbFrib = static_cast<LwpFribCHBlock*>(pFrib);
- chbFrib->XFConvert(m_pXFPara,m_pPara->GetStory());
+ chbFrib->XFConvert(m_pXFPara.get(),m_pPara->GetStory());
}
break;
case FRIB_TAG_TABLE:
{
LwpFribTable* tableFrib = static_cast<LwpFribTable*>(pFrib);
//tableFrib->XFConvert(m_pPara->GetXFContainer());
- tableFrib->XFConvert(m_pXFPara);
+ tableFrib->XFConvert(m_pXFPara.get());
}
break;
case FRIB_TAG_BOOKMARK:
{
LwpFribBookMark* bookmarkFrib =
static_cast<LwpFribBookMark*>(pFrib);
- bookmarkFrib->XFConvert(m_pXFPara);
+ bookmarkFrib->XFConvert(m_pXFPara.get());
}
break;
case FRIB_TAG_FOOTNOTE:
{
LwpFribFootnote* pFootnoteFrib =
static_cast<LwpFribFootnote*>(pFrib);
- pFootnoteFrib->XFConvert(m_pXFPara);
+ pFootnoteFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_FIELD:
{
LwpFribField* fieldFrib = static_cast<LwpFribField*>(pFrib);
- fieldFrib->XFConvert(m_pXFPara);
+ fieldFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_NOTE:
{
LwpFribNote* pNoteFrib = static_cast<LwpFribNote*>(pFrib);
- pNoteFrib->XFConvert(m_pXFPara);
+ pNoteFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_PAGENUMBER:
{
LwpFribPageNumber* pagenumFrib =
static_cast<LwpFribPageNumber*>(pFrib);
- pagenumFrib->XFConvert(m_pXFPara);
+ pagenumFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_DOCVAR:
{
LwpFribDocVar* docFrib = static_cast<LwpFribDocVar*>(pFrib);
- docFrib->XFConvert(m_pXFPara);
+ docFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_RUBYMARKER:
{
LwpFribRubyMarker* rubyFrib =
static_cast<LwpFribRubyMarker*>(pFrib);
- rubyFrib->XFConvert(m_pXFPara);
+ rubyFrib->XFConvert(m_pXFPara.get());
break;
}
case FRIB_TAG_RUBYFRAME:
diff --git a/lotuswordpro/source/filter/lwpfribptr.hxx
b/lotuswordpro/source/filter/lwpfribptr.hxx
index d59cb81ca0d4..847690242911 100644
--- a/lotuswordpro/source/filter/lwpfribptr.hxx
+++ b/lotuswordpro/source/filter/lwpfribptr.hxx
@@ -75,13 +75,13 @@ public:
void ReadPara(LwpObjectStream* pObjStrm);
private:
LwpFrib* m_pFribs;
- XFParagraph* m_pXFPara;//Current XFPara used for frib parsing
+ rtl::Reference<XFParagraph> m_pXFPara; //Current XFPara used for frib
parsing
LwpPara* m_pPara;//for get foundry
static void ProcessDropcap(LwpStory* pStory, const LwpFrib*
pFrib,sal_uInt32 nLen);
public:
void XFConvert();
void SetXFPara(XFParagraph* Para){m_pXFPara = Para;}
- XFParagraph* GetXFPara(){return m_pXFPara;}
+ XFParagraph* GetXFPara() { return m_pXFPara.get(); }
void SetPara(LwpPara* para){m_pPara=para;}
void RegisterStyle();
LwpFrib* GetFribs(){return m_pFribs;}
commit eba2e597e694f435d6e77a4c91e6f2dce1df7271
Author: Caolán McNamara <[email protected]>
AuthorDate: Mon Jan 4 17:19:47 2021 +0000
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:55:54 2021 +0100
ofz#29234 Integer-overflow
sc/source/core/tool/interpr1.cxx:9578:39: runtime error: signed integer
overflow: 1 + 2147483647 cannot be represented in type 'int'
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/108677
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit 52de00024e84c063ab292890256cda59fe259ef5)
Change-Id: I2975ae1daab826f10f0e52e7d7421ac8dcc9fffc
diff --git a/sc/source/core/tool/interpr1.cxx b/sc/source/core/tool/interpr1.cxx
index e375f1626ec5..0f37b4f9f35e 100644
--- a/sc/source/core/tool/interpr1.cxx
+++ b/sc/source/core/tool/interpr1.cxx
@@ -9505,6 +9505,8 @@ void ScInterpreter::ScMid()
OUString aStr = GetString().getString();
if ( nStart < 1 || nSubLen < 0 )
PushIllegalArgument();
+ else if (nStart > kScInterpreterMaxStrLen || nSubLen >
kScInterpreterMaxStrLen)
+ PushError(FormulaError::StringOverflow);
else
{
sal_Int32 nLen = aStr.getLength();
commit b90e337bb78cb379f9740f0fab8185dc48ed3e6d
Author: Michael Stahl <[email protected]>
AuthorDate: Tue Nov 9 12:35:04 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:53:21 2021 +0100
openldap: upgrade to release 2.4.59
Fixes CVE-2020-36230 and CVE-2020-36229 in libldap, plus lots of
other CVEs that affect only the server.
Unfortunately it looks like NSS support was removed in release 2.5.0.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124914
Tested-by: Jenkins
Reviewed-by: Michael Stahl <[email protected]>
(cherry picked from commit 9393325c1db9fa25037d208607b71adb567a8bbc)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124860
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit b7c670984e4af1c73fa05731ca8029cec487bd52)
Change-Id: Ie43d7da1b9e92b5712f9cd22c4613648394c696f
diff --git a/download.lst b/download.lst
index 1de4bef21d5a..8f1444d047b9 100644
--- a/download.lst
+++ b/download.lst
@@ -214,8 +214,8 @@ export ODFVALIDATOR_SHA256SUM :=
d55495ab3a86544650587de2a72180ddf8bfc6376d14ddf
export ODFVALIDATOR_JAR :=
odfvalidator-0.9.0-RC2-SNAPSHOT-jar-with-dependencies-2726ab578664434a545f8379a01a9faffac0ae73.jar
export OFFICEOTRON_SHA256SUM :=
f2443f27561af52324eee03a1892d9f569adc8db9e7bca55614898bc2a13a770
export OFFICEOTRON_JAR :=
8249374c274932a21846fa7629c2aa9b-officeotron-0.7.4-master.jar
-export OPENLDAP_SHA256SUM :=
cdd6cffdebcd95161a73305ec13fc7a78e9707b46ca9f84fb897cd5626df3824
-export OPENLDAP_TARBALL := openldap-2.4.45.tgz
+export OPENLDAP_SHA256SUM :=
99f37d6747d88206c470067eda624d5e48c1011e943ec0ab217bae8712e22f34
+export OPENLDAP_TARBALL := openldap-2.4.59.tgz
export OPENSSL_SHA256SUM :=
14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc
export OPENSSL_TARBALL := openssl-1.0.2t.tar.gz
export ORCUS_SHA256SUM :=
0dd26f3f2e611c51df9ee02d6dbf08887989eaa417b73f6877cd0d94df795fc2
commit 78ced0fc585c36fbb7e48939b04745a89e72b355
Author: David Tardon <[email protected]>
AuthorDate: Sun Jan 17 16:27:55 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:53:07 2021 +0100
upload libodfgen 0.1.8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109840
Tested-by: Jenkins
Reviewed-by: David Tardon <[email protected]>
(cherry picked from commit f341a9da2eb63ea40ccc5a17d7c9dc557682469f)
Change-Id: Ibc59469b74d54a2b307ea708ea5c4a752532f0b0
diff --git a/download.lst b/download.lst
index 617cd523b91f..1de4bef21d5a 100644
--- a/download.lst
+++ b/download.lst
@@ -207,9 +207,9 @@ export NEON_SHA256SUM :=
db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d
export NEON_TARBALL := neon-0.30.2.tar.gz
export NSS_SHA256SUM :=
ec6032d78663c6ef90b4b83eb552dedf721d2bce208cec3bf527b8f637db7e45
export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz
-export ODFGEN_SHA256SUM :=
2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2
-export ODFGEN_VERSION_MICRO := 6
-export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2
+export ODFGEN_SHA256SUM :=
55200027fd46623b9bdddd38d275e7452d1b0ff8aeddcad6f9ae6dc25f610625
+export ODFGEN_VERSION_MICRO := 8
+export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.xz
export ODFVALIDATOR_SHA256SUM :=
d55495ab3a86544650587de2a72180ddf8bfc6376d14ddfa923992dbc86a06e0
export ODFVALIDATOR_JAR :=
odfvalidator-0.9.0-RC2-SNAPSHOT-jar-with-dependencies-2726ab578664434a545f8379a01a9faffac0ae73.jar
export OFFICEOTRON_SHA256SUM :=
f2443f27561af52324eee03a1892d9f569adc8db9e7bca55614898bc2a13a770
diff --git
a/external/libodfgen/0001-tdf-101077-make-double-string-conversion-locale-agno.patch.1
b/external/libodfgen/0001-tdf-101077-make-double-string-conversion-locale-agno.patch.1
deleted file mode 100644
index 1fc4e6b9d261..000000000000
---
a/external/libodfgen/0001-tdf-101077-make-double-string-conversion-locale-agno.patch.1
+++ /dev/null
@@ -1,58 +0,0 @@
-From 68e0c8e4c834df57bc9a0e8da72151f69ff5e7a6 Mon Sep 17 00:00:00 2001
-From: David Tardon <[email protected]>
-Date: Fri, 12 Aug 2016 12:50:39 +0200
-Subject: [PATCH] tdf#101077 make double->string conversion locale-agnostic
-
----
- src/OdsGenerator.cxx | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/src/OdsGenerator.cxx b/src/OdsGenerator.cxx
-index 52e135e..8cb7203 100644
---- a/src/OdsGenerator.cxx
-+++ b/src/OdsGenerator.cxx
-@@ -26,6 +26,8 @@
-
- #include <librevenge/librevenge.h>
-
-+#include <iomanip>
-+#include <locale>
- #include <map>
- #include <stack>
- #include <sstream>
-@@ -46,6 +48,19 @@
- #include "OdcGenerator.hxx"
- #include "OdfGenerator.hxx"
-
-+namespace
-+{
-+
-+librevenge::RVNGString makePreciseStr(const double value)
-+{
-+ std::ostringstream os;
-+ os.imbue(std::locale::classic());
-+ os << std::fixed << std::setprecision(8) << value;
-+ return os.str().c_str();
-+}
-+
-+}
-+
- class OdsGeneratorPrivate : public OdfGenerator
- {
- public:
-@@ -968,10 +983,10 @@ void OdsGenerator::openSheetCell(const
librevenge::RVNGPropertyList &propList)
- // we need the maximum precision here,
so we must avoid getStr() when possible
- librevenge::RVNGString value;
- if
(propList["librevenge:value"]->getUnit()==librevenge::RVNG_GENERIC)
-- value.sprintf("%.8f",
propList["librevenge:value"]->getDouble());
-+ value =
makePreciseStr(propList["librevenge:value"]->getDouble());
- else if
(propList["librevenge:value"]->getUnit()==librevenge::RVNG_PERCENT)
- {
-- value.sprintf("%.8f",
propList["librevenge:value"]->getDouble()*100.);
-+ value =
makePreciseStr(propList["librevenge:value"]->getDouble()*100.);
- value.append('%');
- }
- else
---
-2.7.4
-
diff --git a/external/libodfgen/ExternalProject_libodfgen.mk
b/external/libodfgen/ExternalProject_libodfgen.mk
index c02b4f532d65..a173cdd47535 100644
--- a/external/libodfgen/ExternalProject_libodfgen.mk
+++ b/external/libodfgen/ExternalProject_libodfgen.mk
@@ -16,6 +16,7 @@ $(eval $(call gb_ExternalProject_register_targets,libodfgen,\
))
$(eval $(call gb_ExternalProject_use_externals,libodfgen,\
+ libxml2 \
revenge \
))
@@ -33,10 +34,11 @@ $(call gb_ExternalProject_get_state_target,libodfgen,build)
:
--disable-werror \
--disable-weffc \
--without-docs \
- --with-sharedptr=c++11 \
$(if
$(verbose),--disable-silent-rules,--enable-silent-rules) \
CXXFLAGS="$(gb_CXXFLAGS) $(if
$(ENABLE_OPTIMIZED),$(gb_COMPILEROPTFLAGS),$(gb_COMPILERNOOPTFLAGS))" \
CPPFLAGS="$(CPPFLAGS) $(if $(SYSTEM_REVENGE),,$(if
$(filter-out MSC,$(COM)),-DLIBREVENGE_VISIBILITY))" \
+ XML_CFLAGS="$(LIBXML_CFLAGS)" \
+ XML_LIBS="$(LIBXML_LIBS)" \
$(if $(filter LINUX,$(OS)),$(if $(SYSTEM_REVENGE),, \
'LDFLAGS=-Wl$(COMMA)-z$(COMMA)origin \
-Wl$(COMMA)-rpath$(COMMA)\$$$$ORIGIN'))
\
diff --git a/external/libodfgen/Library_odfgen.mk
b/external/libodfgen/Library_odfgen.mk
index 946fa9081452..b67f5ad89715 100644
--- a/external/libodfgen/Library_odfgen.mk
+++ b/external/libodfgen/Library_odfgen.mk
@@ -12,6 +12,7 @@ $(eval $(call gb_Library_Library,odfgen))
$(eval $(call gb_Library_use_unpacked,odfgen,libodfgen))
$(eval $(call gb_Library_use_externals,odfgen,\
+ libxml2 \
revenge \
))
@@ -26,7 +27,6 @@ $(eval $(call gb_Library_add_defs,odfgen,\
-DDLL_EXPORT \
-DLIBODFGEN_BUILD \
-DNDEBUG \
- -DSHAREDPTR_STD \
-DPACKAGE=\"libodfgen\" \
-DVERSION=\"0.1.$(ODFGEN_VERSION_MICRO)\" \
))
@@ -40,6 +40,7 @@ $(eval $(call
gb_Library_add_generated_exception_objects,odfgen,\
UnpackedTarball/libodfgen/src/GraphicStyle \
UnpackedTarball/libodfgen/src/InternalHandler \
UnpackedTarball/libodfgen/src/ListStyle \
+ UnpackedTarball/libodfgen/src/NumberingStyle \
UnpackedTarball/libodfgen/src/OdcGenerator \
UnpackedTarball/libodfgen/src/OdfGenerator \
UnpackedTarball/libodfgen/src/OdgGenerator \
diff --git a/external/libodfgen/UnpackedTarball_libodfgen.mk
b/external/libodfgen/UnpackedTarball_libodfgen.mk
index c4ea2939f4cb..d6c84e517970 100644
--- a/external/libodfgen/UnpackedTarball_libodfgen.mk
+++ b/external/libodfgen/UnpackedTarball_libodfgen.mk
@@ -29,12 +29,4 @@ $(eval $(call gb_UnpackedTarball_add_patches,libodfgen, \
endif
endif
-# * external/libodfgen/c++11.patch: obsoleted upstream by
-#
<https://sourceforge.net/p/libwpd/libodfgen/ci/e11112e50562de4f3252227bfba175ededf82194/>
-# "boost::shared_ptr -> std::shared_ptr"
-$(eval $(call gb_UnpackedTarball_add_patches,libodfgen, \
-
external/libodfgen/0001-tdf-101077-make-double-string-conversion-locale-agno.patch.1
\
- external/libodfgen/c++11.patch \
-))
-
# vim: set noet sw=4 ts=4:
diff --git a/external/libodfgen/c++11.patch b/external/libodfgen/c++11.patch
deleted file mode 100644
index f41d1a166964..000000000000
--- a/external/libodfgen/c++11.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-# Add -std=c++11 before existing CXXFLAGS, in case those already contain some
-std= (which will thus
-# override the preceding -std=c++11, which is likely what the caller passing
in those CXXFLAGS
-# intends):
-#
-#--- configure.ac
-#+++ configure.ac
-#@@ -217,7 +217,7 @@
-# AS_IF([test "x$with_sharedptr" = "xc++11"], [
-# AC_MSG_CHECKING([for c++11 shared ptr])
-# save_CXXFLAGS="$CXXFLAGS"
-#- CXXFLAGS="$CXXFLAGS -std=c++11"
-#+ CXXFLAGS="-std=c++11 $CXXFLAGS"
-# AC_COMPILE_IFELSE([
-# AC_LANG_PROGRAM(
-# [[#include <memory>]],
-#@@ -241,7 +241,7 @@
-# AC_MSG_RESULT([no])
-# ], [
-# AC_MSG_RESULT([yes])
-#- CXXFLAGS="$CXXFLAGS -std=c++11"
-#+ CXXFLAGS="-std=c++11 $CXXFLAGS"
-# ])
-# ])
-# AS_IF([test "x$with_sharedptr" = "xtr1"], [
---- configure
-+++ configure
-@@ -16723,7 +16723,7 @@
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for c++11 shared ptr"
>&5
- $as_echo_n "checking for c++11 shared ptr... " >&6; }
- save_CXXFLAGS="$CXXFLAGS"
-- CXXFLAGS="$CXXFLAGS -std=c++11"
-+ CXXFLAGS="-std=c++11 $CXXFLAGS"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h. */
-
-@@ -16780,7 +16780,7 @@
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
- $as_echo "yes" >&6; }
-- CXXFLAGS="$CXXFLAGS -std=c++11"
-+ CXXFLAGS="-std=c++11 $CXXFLAGS"
-
- fi
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
diff --git a/external/libodfgen/libodfgen-bundled-soname.patch.0
b/external/libodfgen/libodfgen-bundled-soname.patch.0
index 052ba795e40e..f5c0caf8d6d1 100644
--- a/external/libodfgen/libodfgen-bundled-soname.patch.0
+++ b/external/libodfgen/libodfgen-bundled-soname.patch.0
@@ -1,9 +1,8 @@
diff -urN src/Makefile.in.orig src/Makefile.in
--- src/Makefile.in.orig 2016-03-02 17:17:02.812606210 +0100
+++ src/Makefile.in 2016-03-02 17:17:25.176670151 +0100
-@@ -355,7 +355,7 @@
- AM_CXXFLAGS = -I$(top_srcdir)/inc/ $(REVENGE_CFLAGS) $(DEBUG_CXXFLAGS)
-DLIBODFGEN_BUILD
- libodfgen_@LIBODFGEN_MAJOR_VERSION@_@LIBODFGEN_MINOR_VERSION@_la_LIBADD =
@LIBODFGEN_WIN32_RESOURCE@ $(REVENGE_LIBS)
+@@ -355,6 +355,6 @@
+ libodfgen_@LIBODFGEN_MAJOR_VERSION@_@LIBODFGEN_MINOR_VERSION@_la_LIBADD =
@LIBODFGEN_WIN32_RESOURCE@ $(REVENGE_LIBS) $(XML_LIBS)
libodfgen_@LIBODFGEN_MAJOR_VERSION@_@LIBODFGEN_MINOR_VERSION@_la_DEPENDENCIES
= @LIBODFGEN_WIN32_RESOURCE@
-libodfgen_@LIBODFGEN_MAJOR_VERSION@_@LIBODFGEN_MINOR_VERSION@_la_LDFLAGS =
$(version_info) -export-dynamic -no-undefined
+libodfgen_@LIBODFGEN_MAJOR_VERSION@_@LIBODFGEN_MINOR_VERSION@_la_LDFLAGS =
$(version_info) -export-dynamic -no-undefined -release lo
diff --git a/solenv/flatpak-manifest.in b/solenv/flatpak-manifest.in
index 1246e5f6786a..59d1c9cdedea 100644
--- a/solenv/flatpak-manifest.in
+++ b/solenv/flatpak-manifest.in
@@ -273,10 +273,10 @@
"dest-filename": "external/tarballs/libmwaw-0.3.16.tar.xz"
},
{
- "url":
"https://dev-www.libreoffice.org/src/libodfgen-0.1.6.tar.bz2";,
- "sha256":
"2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2",
+ "url":
"https://dev-www.libreoffice.org/src/libodfgen-0.1.8.tar.xz";,
+ "sha256":
"55200027fd46623b9bdddd38d275e7452d1b0ff8aeddcad6f9ae6dc25f610625",
"type": "file",
- "dest-filename":
"external/tarballs/libodfgen-0.1.6.tar.bz2"
+ "dest-filename": "external/tarballs/libodfgen-0.1.8.tar.xz"
},
{
"url":
"https://dev-www.libreoffice.org/src/libpagemaker-0.0.4.tar.xz";,
commit edac00c4701b290a84c8fee12a63666319ed1cef
Author: David Tardon <[email protected]>
AuthorDate: Sat Apr 18 13:54:18 2020 +0200
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:52:22 2021 +0100
upload libmwaw 0.3.16
Change-Id: Idc7ed6bbcd3298138fb92c81ddf7dd6278d201dc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/92472
Tested-by: Jenkins
Reviewed-by: David Tardon <[email protected]>
(cherry picked from commit 56c4444638c0ebb21711b02d1ff235a3ffd3f232)
diff --git a/configure.ac b/configure.ac
index b9807525b793..3463e7458479 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8548,7 +8548,7 @@ libo_CHECK_SYSTEM_MODULE([libcdr],[CDR],[libcdr-0.1])
libo_CHECK_SYSTEM_MODULE([libmspub],[MSPUB],[libmspub-0.1])
libo_CHECK_SYSTEM_MODULE([libmwaw],[MWAW],[libmwaw-0.3 >= 0.3.1])
-libo_PKG_VERSION([MWAW], [libmwaw-0.3], [0.3.15])
+libo_PKG_VERSION([MWAW], [libmwaw-0.3], [0.3.16])
libo_CHECK_SYSTEM_MODULE([libetonyek],[ETONYEK],[libetonyek-0.1])
libo_PKG_VERSION([ETONYEK], [libetonyek-0.1], [0.1.8])
diff --git a/download.lst b/download.lst
index d701e8bd2d8f..617cd523b91f 100644
--- a/download.lst
+++ b/download.lst
@@ -198,8 +198,8 @@ export MDNSRESPONDER_SHA256SUM :=
e777b4d7dbf5eb1552cb80090ad1ede319067ab6e45e39
export MDNSRESPONDER_TARBALL := mDNSResponder-878.200.35.tar.gz
export MSPUB_SHA256SUM :=
ef36c1a1aabb2ba3b0bedaaafe717bf4480be2ba8de6f3894be5fd3702b013ba
export MSPUB_TARBALL := libmspub-0.1.4.tar.xz
-export MWAW_SHA256SUM :=
0440bb09f05e3419423d8dfa36ee847056ebfd837f9cbc091fdb5b057daab0b1
-export MWAW_VERSION_MICRO := 15
+export MWAW_SHA256SUM :=
0c639edba5297bde5575193bf5b5f2f469956beaff5c0206d91ce9df6bde1868
+export MWAW_VERSION_MICRO := 16
export MWAW_TARBALL := libmwaw-0.3.$(MWAW_VERSION_MICRO).tar.xz
export MYTHES_SHA256SUM :=
1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b0e0790a305f
export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
diff --git a/external/libmwaw/Library_mwaw.mk b/external/libmwaw/Library_mwaw.mk
index fc874fcb5e45..880a70861e24 100644
--- a/external/libmwaw/Library_mwaw.mk
+++ b/external/libmwaw/Library_mwaw.mk
@@ -120,6 +120,7 @@ $(eval $(call
gb_Library_add_generated_exception_objects,mwaw,\
UnpackedTarball/libmwaw/src/lib/MWAWSpreadsheetDecoder \
UnpackedTarball/libmwaw/src/lib/MWAWSpreadsheetEncoder \
UnpackedTarball/libmwaw/src/lib/MWAWSpreadsheetListener \
+ UnpackedTarball/libmwaw/src/lib/MWAWStream \
UnpackedTarball/libmwaw/src/lib/MWAWStringStream \
UnpackedTarball/libmwaw/src/lib/MWAWSubDocument \
UnpackedTarball/libmwaw/src/lib/MWAWTable \
@@ -173,10 +174,13 @@ $(eval $(call
gb_Library_add_generated_exception_objects,mwaw,\
UnpackedTarball/libmwaw/src/lib/PowerPoint7Text \
UnpackedTarball/libmwaw/src/lib/RagTime5Chart \
UnpackedTarball/libmwaw/src/lib/RagTime5ClusterManager \
+ UnpackedTarball/libmwaw/src/lib/RagTime5Document \
+ UnpackedTarball/libmwaw/src/lib/RagTime5Formula \
UnpackedTarball/libmwaw/src/lib/RagTime5Graph \
UnpackedTarball/libmwaw/src/lib/RagTime5Layout \
UnpackedTarball/libmwaw/src/lib/RagTime5Parser \
UnpackedTarball/libmwaw/src/lib/RagTime5Pipeline \
+ UnpackedTarball/libmwaw/src/lib/RagTime5SSParser \
UnpackedTarball/libmwaw/src/lib/RagTime5Spreadsheet \
UnpackedTarball/libmwaw/src/lib/RagTime5StructManager \
UnpackedTarball/libmwaw/src/lib/RagTime5StyleManager \
diff --git a/solenv/flatpak-manifest.in b/solenv/flatpak-manifest.in
index 4ff860db39e6..1246e5f6786a 100644
--- a/solenv/flatpak-manifest.in
+++ b/solenv/flatpak-manifest.in
@@ -267,10 +267,10 @@
"dest-filename": "external/tarballs/libmspub-0.1.4.tar.xz"
},
{
- "url":
"https://dev-www.libreoffice.org/src/libmwaw-0.3.15.tar.xz";,
- "sha256":
"0440bb09f05e3419423d8dfa36ee847056ebfd837f9cbc091fdb5b057daab0b1",
+ "url":
"https://dev-www.libreoffice.org/src/libmwaw-0.3.16.tar.xz";,
+ "sha256":
"0c639edba5297bde5575193bf5b5f2f469956beaff5c0206d91ce9df6bde1868",
"type": "file",
- "dest-filename": "external/tarballs/libmwaw-0.3.15.tar.xz"
+ "dest-filename": "external/tarballs/libmwaw-0.3.16.tar.xz"
},
{
"url":
"https://dev-www.libreoffice.org/src/libodfgen-0.1.6.tar.bz2";,
commit b9e3de484bb8a3847c6bceef5fc4e50e42dbea31
Author: Michael Stahl <[email protected]>
AuthorDate: Fri Nov 5 18:33:07 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:52:16 2021 +0100
icu: add patch for CVE-2021-30535
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124779
Tested-by: Jenkins
Reviewed-by: Michael Stahl <[email protected]>
(cherry picked from commit 35eef8ec9b122a761400f3c6590ca1f9a187d772)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124701
Reviewed-by: Thorsten Behrens <[email protected]>
(cherry picked from commit 105c258fcdd69f617de64b780ffcdb8304ff262c)
Change-Id: I398596f77aa47ab6d4db01b94422262048cffd3e
diff --git a/external/icu/UnpackedTarball_icu.mk
b/external/icu/UnpackedTarball_icu.mk
index d785264bebad..deeeb5171aaf 100644
--- a/external/icu/UnpackedTarball_icu.mk
+++ b/external/icu/UnpackedTarball_icu.mk
@@ -40,6 +40,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,icu,\
external/icu/c++20-comparison.patch \
external/icu/ubsan.patch \
external/icu/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca.patch.2 \
+ external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2 \
+ external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2 \
))
$(eval $(call
gb_UnpackedTarball_add_file,icu,source/data/brkitr/khmerdict.dict,external/icu/khmerdict.dict))
diff --git a/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
new file mode 100644
index 000000000000..1ded56abf524
--- /dev/null
+++ b/external/icu/cec7de7a390dd6907b0ea0feb4488ed3934ee71d.patch.2
@@ -0,0 +1,94 @@
+From cec7de7a390dd6907b0ea0feb4488ed3934ee71d Mon Sep 17 00:00:00 2001
+From: Frank Tang <[email protected]>
+Date: Tue, 16 Mar 2021 22:08:29 -0700
+Subject: [PATCH] ICU-21537 Fix invalid free by long locale name
+
+Do not free baseName if it is pointing to fullNameBuffer.
+
+Better Fix
+---
+ icu4c/source/common/locid.cpp | 9 +++++----
+ icu4c/source/test/intltest/collationtest.cpp | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp
+index 5d604350ecd..e16fbb724a4 100644
+--- a/icu4c/source/common/locid.cpp
++++ b/icu4c/source/common/locid.cpp
+@@ -254,7 +254,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(Locale)
+
+ Locale::~Locale()
+ {
+- if (baseName != fullName) {
++ if ((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+@@ -466,7 +466,7 @@ Locale& Locale::operator=(const Locale& other) {
+ }
+
+ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT {
+- if (baseName != fullName) uprv_free(baseName);
++ if ((baseName != fullName) && (baseName != fullNameBuffer))
uprv_free(baseName);
+ if (fullName != fullNameBuffer) uprv_free(fullName);
+
+ if (other.fullName == other.fullNameBuffer) {
+@@ -1850,7 +1850,7 @@ Locale& Locale::init(const char* localeID, UBool
canonicalize)
+ {
+ fIsBogus = FALSE;
+ /* Free our current storage */
+- if (baseName != fullName) {
++ if ((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+@@ -1886,6 +1886,7 @@ Locale& Locale::init(const char* localeID, UBool
canonicalize)
+ uloc_getName(localeID, fullName, sizeof(fullNameBuffer), &err);
+
+ if(err == U_BUFFER_OVERFLOW_ERROR || length >=
(int32_t)sizeof(fullNameBuffer)) {
++ U_ASSERT(baseName == nullptr);
+ /*Go to heap for the fullName if necessary*/
+ fullName = (char *)uprv_malloc(sizeof(char)*(length + 1));
+ if(fullName == 0) {
+@@ -2039,7 +2040,7 @@ Locale::hashCode() const
+ void
+ Locale::setToBogus() {
+ /* Free our current storage */
+- if(baseName != fullName) {
++ if((baseName != fullName) && (baseName != fullNameBuffer)) {
+ uprv_free(baseName);
+ }
+ baseName = NULL;
+diff --git a/icu4c/source/test/intltest/collationtest.cpp
b/icu4c/source/test/intltest/collationtest.cpp
+index de51eece5c4..4f1fee9375e 100644
+--- a/icu4c/source/test/intltest/collationtest.cpp
++++ b/icu4c/source/test/intltest/collationtest.cpp
+@@ -78,6 +78,7 @@ class CollationTest : public IntlTest {
+ void TestRootElements();
+ void TestTailoredElements();
+ void TestDataDriven();
++ void TestLongLocale();
+
+ private:
+ void checkFCD(const char *name, CollationIterator &ci, CodePointIterator
&cpi);
+@@ -148,6 +149,7 @@ void CollationTest::runIndexedTest(int32_t index, UBool
exec, const char *&name,
+ TESTCASE_AUTO(TestRootElements);
+ TESTCASE_AUTO(TestTailoredElements);
+ TESTCASE_AUTO(TestDataDriven);
++ TESTCASE_AUTO(TestLongLocale);
+ TESTCASE_AUTO_END;
+ }
+
+@@ -1852,4 +1854,12 @@ void CollationTest::TestDataDriven() {
+ }
+ }
+
++void CollationTest::TestLongLocale() {
++ IcuTestErrorCode errorCode(*this, "TestLongLocale");
++ Locale
longLocale("sie__1G_C_CEIE_CEZCX_CSUE_E_EIESZNI2_GB_LM_LMCSUE_LMCSX_"
++ "LVARIANT_MMCSIE_STEU_SU1GCEIE_SU6G_SU6SU6G_U_UBGE_UC_"
++ "UCEZCSI_UCIE_UZSIU_VARIANT_X@collation=bcs-ukvsz");
++ LocalPointer<Collator> coll(Collator::createInstance(longLocale,
errorCode));
++}
++
+ #endif // !UCONFIG_NO_COLLATION
diff --git a/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
new file mode 100644
index 000000000000..4709cd8c37fd
--- /dev/null
+++ b/external/icu/e450fa50fc242282551f56b941dc93b9a8a0bcbb.patch.2
@@ -0,0 +1,39 @@
+From e450fa50fc242282551f56b941dc93b9a8a0bcbb Mon Sep 17 00:00:00 2001
+From: Frank Tang <[email protected]>
+Date: Tue, 13 Apr 2021 15:16:50 -0700
+Subject: [PATCH] ICU-21587 Fix memory bug w/ baseName
+
+Edge cases not fixed in assign and move assign operator
+while the locale is long and call setKeywordValue with incorrect
+keyword/values.
+---
+ icu4c/source/common/locid.cpp | 11 +++++++++--
+ icu4c/source/test/intltest/loctest.cpp | 26 ++++++++++++++++++++++++++
+ icu4c/source/test/intltest/loctest.h | 2 ++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/icu4c/source/common/locid.cpp b/icu4c/source/common/locid.cpp
+index 02cd82a7b8e..3c6e5b06690 100644
+--- a/icu4c/source/common/locid.cpp
++++ b/icu4c/source/common/locid.cpp
+@@ -469,14 +469,18 @@ Locale& Locale::operator=(Locale&& other) U_NOEXCEPT {
+ if ((baseName != fullName) && (baseName != fullNameBuffer))
uprv_free(baseName);
+ if (fullName != fullNameBuffer) uprv_free(fullName);
+
+- if (other.fullName == other.fullNameBuffer) {
++ if (other.fullName == other.fullNameBuffer || other.baseName ==
other.fullNameBuffer) {
+ uprv_strcpy(fullNameBuffer, other.fullNameBuffer);
++ }
++ if (other.fullName == other.fullNameBuffer) {
+ fullName = fullNameBuffer;
+ } else {
+ fullName = other.fullName;
+ }
+
+- if (other.baseName == other.fullName) {
++ if (other.baseName == other.fullNameBuffer) {
++ baseName = fullNameBuffer;
++ } else if (other.baseName == other.fullName) {
+ baseName = fullName;
+ } else {
+ baseName = other.baseName;
commit 229a4044dcc5e34c5c6df449655f5b878d1a1465
Author: Michael Stahl <[email protected]>
AuthorDate: Fri Nov 5 19:40:49 2021 +0100
Commit: Andras Timar <[email protected]>
CommitDate: Wed Nov 24 14:52:10 2021 +0100
libjpeg-turbo: add patch for CVE-2020-17541
Change-Id: Ie3fe30bea6a62e7cafeaed957d6ef6aeb879047b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/124778
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
(cherry picked from commit ebd556220a5045c1c81891b712648d220a168c70)
diff --git a/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk
b/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk
index a99df67bb011..5440d16ecfc1 100644
--- a/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk
+++ b/external/libjpeg-turbo/UnpackedTarball_libjpeg-turbo.mk
@@ -19,6 +19,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,libjpeg-turbo,\
external/libjpeg-turbo/jpeg-turbo.build.patch.1 \
$(if $(filter
WNT,$(OS)),external/libjpeg-turbo/jpeg-turbo.win_build.patch.1) \
external/libjpeg-turbo/ubsan.patch \
+ external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1
\
))
# vim: set noet sw=4 ts=4:
diff --git
a/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1
b/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1
new file mode 100644
index 000000000000..cc3da737e7b0
--- /dev/null
+++ b/external/libjpeg-turbo/c76f4a08263b0cea40d2967560ac7c21f6959079.patch.1
@@ -0,0 +1,38 @@
+From c76f4a08263b0cea40d2967560ac7c21f6959079 Mon Sep 17 00:00:00 2001
+From: DRC <[email protected]>
+Date: Thu, 5 Dec 2019 13:12:28 -0600
+Subject: [PATCH] Huffman enc.: Fix very rare local buffer overrun
+
+... detected by ASan. This is a similar issue to the issue that was
+fixed with 402a715f82313384ef4606660c32d8678c79f197. Apparently it is
+possible to create a malformed JPEG image that exceeds the Huffman
+encoder's 256-byte local buffer when attempting to losslessly tranform
+the image. That makes sense, given that it was necessary to extend the
+Huffman decoder's local buffer to 512 bytes in order to handle all
+pathological cases (refer to 0463f7c9aad060fcd56e98d025ce16185279e2bc.)
+
+Since this issue affected only lossless transformation, a workflow that
... etc. - the rest is truncated
