From b63b8d61c1e6cf8dcb4db89a8dca92eb80452346 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 17 May 2012 10:15:55 +0000
Subject: CVE-2012-2334
---
diff --git a/CVE-2012-2334.patch b/CVE-2012-2334.patch
new file mode 100644
index 0000000..c72e398
--- a/dev/null
+++ b/CVE-2012-2334.patch
@@ -0,0 +1,130 @@
+diff -ru libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx
+--- libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx 2012-05-17 11:01:06.323446905 +0100
++++ libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx 2012-05-17 11:08:23.257229041 +0100
+@@ -77,9 +77,20 @@
+ FASTBOOL IsContainer() const { return nRecVer == DFF_PSFLAG_CONTAINER; }
+ ULONG GetRecBegFilePos() const { return nFilePos; }
+ ULONG GetRecEndFilePos() const { return nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; }
+- void SeekToEndOfRecord(SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen ); }
+- void SeekToContent( SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE ); }
+- void SeekToBegOfRecord(SvStream& rIn) const { rIn.Seek( nFilePos ); }
++ bool SeekToEndOfRecord(SvStream& rIn) const
++ {
++ sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen;
++ return nPos == rIn.Seek(nPos);
++ }
++ bool SeekToContent(SvStream& rIn) const
++ {
++ sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE;
++ return nPos == rIn.Seek(nPos);
++ }
++ bool SeekToBegOfRecord(SvStream& rIn) const
++ {
++ return nFilePos == rIn.Seek(nFilePos);
++ }
+
+ MSFILTER_DLLPUBLIC friend SvStream& operator>>(SvStream& rIn, DffRecordHeader& rRec);
+
+diff -ru libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx
+--- libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx 2012-05-17 11:01:06.231445683 +0100
++++ libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx 2012-05-17 11:10:34.159950744 +0100
+@@ -156,6 +156,11 @@
+ static sal_uInt32 nMSOleObjCntr = 0;
+ #define MSO_OLE_Obj "MSO_OLE_Obj"
+
++/*************************************************************************/
++bool lclGood(const SvStream &rStream)
++{
++ return rStream.GetError() == 0 && !rStream.IsEof();
++}
+
+ /*************************************************************************/
+ BOOL Impl_OlePres::Read( SvStream & rStm )
+@@ -3653,7 +3658,7 @@
+ rSt >> aEscherF002Hd;
+ ULONG nEscherF002End = aEscherF002Hd.GetRecEndFilePos();
+ DffRecordHeader aEscherObjListHd;
+- while ( rSt.Tell() < nEscherF002End )
++ while (lclGood(rSt) && rSt.Tell() < nEscherF002End)
+ {
+ rSt >> aEscherObjListHd;
+ if ( aEscherObjListHd.nRecVer != 0xf )
+@@ -3687,9 +3692,16 @@
+ FASTBOOL bRet = FALSE;
+ ULONG nFPosMerk = rSt.Tell(); // FilePos merken fuer ggf. spaetere Restauration
+ DffRecordHeader aHd;
++ // make sure that we move somewhere with every iteration
++ sal_Size nStPos;
+ do
+ {
++ nStPos = rSt.Tell();
+ rSt >> aHd;
++ if (!lclGood(rSt))
++ break;
++ if (aHd.nRecLen > nMaxLegalDffRecordLength)
++ break;
+ if ( aHd.nRecType == nRecId )
+ {
+ if ( nSkipCount )
+@@ -3704,9 +3716,13 @@
+ }
+ }
+ if ( !bRet )
+- aHd.SeekToEndOfRecord( rSt );
++ {
++ bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt );
++ if (!bSeekSuccess)
++ break;
++ }
+ }
+- while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet );
++ while ( lclGood(rSt) && rSt.Tell() < nMaxFilePos && rSt.Tell() != nStPos && !bRet );
+ if ( !bRet )
+ rSt.Seek( nFPosMerk ); // FilePos restaurieren
+ return bRet;
+@@ -6319,10 +6335,17 @@
+
+ if ( mnIdClusters-- > 2 )
+ {
+- if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) )
++ const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2;
++ if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) )
+ {
++ sal_Size nStCtrlCurr = rStCtrl.Tell();
++ sal_Size nStCtrlEnd = rStCtrl.Seek(STREAM_SEEK_TO_END);
++ sal_Size nMaxEntriesPossible = ( nStCtrlEnd - nStCtrlCurr ) / nFIDCLsize;
++ rStCtrl.Seek(nStCtrlCurr);
++ mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters));
+ mpFidcls = new FIDCL[ mnIdClusters ];
+- for ( UINT32 i = 0; i < mnIdClusters; i++ )
++ memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL));
++ for (sal_uInt32 i = 0; i < mnIdClusters; ++i)
+ {
+ rStCtrl >> mpFidcls[ i ].dgid
+ >> mpFidcls[ i ].cspidCur;
+@@ -7181,7 +7203,11 @@
+ rSt >> nTmp >> rFbt >> rLength;
+ rVer = sal::static_int_cast< BYTE >(nTmp & 15);
+ rInst = nTmp >> 4;
+- return rSt.GetError() == 0;
++ if (!lclGood(rSt))
++ return false;
++ if (rLength > nMaxLegalDffRecordLength)
++ return false;
++ return true;
+ }
+
+
+diff -ru libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx
+--- libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx 2012-05-17 11:01:09.195485098 +0100
++++ libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx 2012-05-17 11:10:15.627707282 +0100
+@@ -39,6 +39,9 @@
+
+ #define DFF_COMMON_RECORD_HEADER_SIZE 8
+
++const sal_uInt32 nMaxLegalDffRecordLength = \
++ SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE;
++
+ #define DFF_PSFLAG_CONTAINER 0x0F // If the version field of a record
+ // header takes on this value, the
+ // record header marks the start of
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
ba340acd9b746a1c5a4ded6c3b3bce41
>
files
>
38
