--- ooo-build/patches/src680/apply~ 2007-09-18 11:08:05.000000000 -0400 +++ ooo-build/patches/src680/apply 2007-09-18 11:08:05.000000000 -0400 @@ -404,6 +404,9 @@ # Security issue CVE-2007-0245 openoffice.org-2.2.1.ooo77214.rtfprtdata.sw.diff +# Security issue CVE-2007-2834 +openoffice.org-2.0.4-CVE-2007-2834.diff + # extrusion depth fix svx-extrusion-depth-fix.diff, n#229874, rodo --- /dev/null 2007-09-10 16:56:52.000000000 -0400 +++ ooo-build/patches/src680/openoffice.org-2.0.4-CVE-2007-2834.diff 2007-09-18 11:07:17.000000000 -0400 @@ -0,0 +1,88 @@ +--- goodies/source/filter.vcl/itiff/itiff.cxx-old 2007-06-21 14:17:54.000000000 +0100 ++++ goodies/source/filter.vcl/itiff/itiff.cxx 2007-06-21 14:18:01.000000000 +0100 +@@ -154,7 +154,7 @@ + double ReadDoubleData(); + + void ReadHeader(); +- void ReadTagData( USHORT nTagType, ULONG nDataLen ); ++ void ReadTagData( USHORT nTagType, sal_uInt32 nDataLen ); + + BOOL ReadMap( ULONG nMinPercent, ULONG nMaxPercent ); + // Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap +@@ -310,7 +310,7 @@ + + // --------------------------------------------------------------------------------- + +-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen) ++void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen) + { + if ( bStatus == FALSE ) + return; +@@ -373,16 +373,25 @@ + case 0x0111: { // Strip Offset(s) + ULONG nOldNumSO, i, * pOldSO; + pOldSO = pStripOffsets; +- if ( pOldSO == NULL ) nNumStripOffsets = 0; // Sicherheitshalber ++ if ( pOldSO == NULL ) ++ nNumStripOffsets = 0; + nOldNumSO = nNumStripOffsets; +- nNumStripOffsets += nDataLen; +- pStripOffsets = new ULONG[ nNumStripOffsets ]; +- for ( i = 0; i < nOldNumSO; i++ ) +- pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos; +- for ( i = nOldNumSO; i < nNumStripOffsets; i++ ) +- pStripOffsets[ i ] = ReadIntData() + nOrigPos; +- if ( pOldSO != NULL ) ++ nDataLen += nOldNumSO; ++ if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) ++ { ++ nNumStripOffsets = nDataLen; ++ pStripOffsets = new ULONG[ nNumStripOffsets ]; ++ if ( !pStripOffsets ) ++ nNumStripOffsets = 0; ++ else ++ { ++ for ( i = 0; i < nOldNumSO; i++ ) ++ pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos; ++ for ( i = nOldNumSO; i < nNumStripOffsets; i++ ) ++ pStripOffsets[ i ] = ReadIntData() + nOrigPos; ++ } + delete[] pOldSO; ++ } + OOODEBUG("StripOffsets (Anzahl:)",nDataLen); + break; + } +@@ -404,16 +413,25 @@ + case 0x0117: { // Strip Byte Counts + ULONG nOldNumSBC, i, * pOldSBC; + pOldSBC = pStripByteCounts; +- if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber ++ if ( pOldSBC == NULL ) ++ nNumStripByteCounts = 0; // Sicherheitshalber + nOldNumSBC = nNumStripByteCounts; +- nNumStripByteCounts += nDataLen; +- pStripByteCounts = new ULONG[ nNumStripByteCounts ]; +- for ( i = 0; i < nOldNumSBC; i++ ) +- pStripByteCounts[ i ] = pOldSBC[ i ]; +- for ( i = nOldNumSBC; i < nNumStripByteCounts; i++) +- pStripByteCounts[ i ] = ReadIntData(); +- if ( pOldSBC != NULL ) ++ nDataLen += nOldNumSBC; ++ if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) ) ++ { ++ nNumStripByteCounts = nDataLen; ++ pStripByteCounts = new ULONG[ nNumStripByteCounts ]; ++ if ( !nNumStripByteCounts ) ++ nNumStripByteCounts = 0; ++ else ++ { ++ for ( i = 0; i < nOldNumSBC; i++ ) ++ pStripByteCounts[ i ] = pOldSBC[ i ]; ++ for ( i = nOldNumSBC; i < nNumStripByteCounts; i++) ++ pStripByteCounts[ i ] = ReadIntData(); ++ } + delete[] pOldSBC; ++ } + OOODEBUG("StripByteCounts (Anzahl:)",nDataLen); + break; + }