Sophie: openoffice.org-2.2.1-3mdv2008.0 src

openoffice.org-2.2.1-3mdv2008.0.src.rpm

--- ooo-build/patches/src680/apply~	2007-09-18 11:08:05.000000000 -0400
+++ ooo-build/patches/src680/apply	2007-09-18 11:08:05.000000000 -0400
@@ -404,6 +404,9 @@
 # Security issue CVE-2007-0245
 openoffice.org-2.2.1.ooo77214.rtfprtdata.sw.diff
 
+# Security issue CVE-2007-2834
+openoffice.org-2.0.4-CVE-2007-2834.diff
+
 # extrusion depth fix
 svx-extrusion-depth-fix.diff, n#229874, rodo
 
--- /dev/null	2007-09-10 16:56:52.000000000 -0400
+++ ooo-build/patches/src680/openoffice.org-2.0.4-CVE-2007-2834.diff	2007-09-18 11:07:17.000000000 -0400
@@ -0,0 +1,88 @@
+--- goodies/source/filter.vcl/itiff/itiff.cxx-old	2007-06-21 14:17:54.000000000 +0100
++++ goodies/source/filter.vcl/itiff/itiff.cxx	2007-06-21 14:18:01.000000000 +0100
+@@ -154,7 +154,7 @@
+ 	double	ReadDoubleData();
+ 
+ 	void	ReadHeader();
+-	void	ReadTagData( USHORT nTagType, ULONG nDataLen );
++	void	ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
+ 
+ 	BOOL	ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
+ 		// Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
+@@ -310,7 +310,7 @@
+ 
+ // ---------------------------------------------------------------------------------
+ 
+-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
++void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
+ {
+ 	if ( bStatus == FALSE )
+ 		return;
+@@ -373,16 +373,25 @@
+ 		case 0x0111: { // Strip Offset(s)
+ 			ULONG nOldNumSO, i, * pOldSO;
+ 			pOldSO = pStripOffsets;
+-			if ( pOldSO == NULL ) nNumStripOffsets = 0;	// Sicherheitshalber
++			if ( pOldSO == NULL )
++				nNumStripOffsets = 0;
+ 			nOldNumSO = nNumStripOffsets;
+-			nNumStripOffsets += nDataLen;
+-			pStripOffsets = new ULONG[ nNumStripOffsets ];
+-			for ( i = 0; i < nOldNumSO; i++ )
+-				pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+-			for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+-				pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+-			if ( pOldSO != NULL )
++			nDataLen += nOldNumSO;
++			if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++			{
++				nNumStripOffsets = nDataLen;
++				pStripOffsets = new ULONG[ nNumStripOffsets ];
++				if ( !pStripOffsets )
++					nNumStripOffsets = 0;
++				else
++				{
++					for ( i = 0; i < nOldNumSO; i++ )
++						pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
++					for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
++						pStripOffsets[ i ] = ReadIntData() + nOrigPos;
++				}
+ 				delete[] pOldSO;
++			}
+ 			OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
+ 			break;
+ 		}
+@@ -404,16 +413,25 @@
+ 		case 0x0117: { // Strip Byte Counts
+ 			ULONG nOldNumSBC, i, * pOldSBC;
+ 			pOldSBC = pStripByteCounts;
+-			if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
++			if ( pOldSBC == NULL )
++				nNumStripByteCounts = 0; // Sicherheitshalber
+ 			nOldNumSBC = nNumStripByteCounts;
+-			nNumStripByteCounts += nDataLen;
+-			pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+-			for ( i = 0; i < nOldNumSBC; i++ )
+-				pStripByteCounts[ i ] = pOldSBC[ i ];
+-			for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+-				pStripByteCounts[ i ] = ReadIntData();
+-			if ( pOldSBC != NULL )
++			nDataLen += nOldNumSBC;
++			if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++			{		
++				nNumStripByteCounts = nDataLen;
++				pStripByteCounts = new ULONG[ nNumStripByteCounts ];
++				if ( !nNumStripByteCounts )
++					nNumStripByteCounts = 0;
++				else
++				{
++					for ( i = 0; i < nOldNumSBC; i++ )
++						pStripByteCounts[ i ] = pOldSBC[ i ];
++					for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
++						pStripByteCounts[ i ] = ReadIntData();
++				}
+ 				delete[] pOldSBC;
++			}
+ 			OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
+ 			break;
+ 		}