Sophie: openoffice.org-1:3.2.0-12.35.fc13 src

openoffice.org-3.2.0-12.35.fc13.src.rpm

diff -r 5b1ceed28385 sd/source/filter/ppt/propread.cxx
--- a/sd/source/filter/ppt/propread.cxx	Fri Aug 06 14:53:07 2010 +0200
+++ b/sd/source/filter/ppt/propread.cxx	Mon Aug 09 14:04:21 2010 +0200
@@ -32,6 +32,7 @@
 #include "precompiled_sd.hxx"
 #include <propread.hxx>
 #include <tools/bigint.hxx>
+#include "tools/debug.hxx"
 #include "rtl/tencinfo.h"
 #include "rtl/textenc.h"
 
@@ -93,6 +94,17 @@
 
 //	-----------------------------------------------------------------------
 
+static xub_StrLen lcl_getMaxSafeStrLen(sal_uInt32 nSize)
+{
+	nSize -= 1; //Drop NULL terminator
+
+	//If it won't fit in a string, clip it to the max size that does
+    if (nSize > STRING_MAXLEN)
+		nSize = STRING_MAXLEN;
+
+	return nSize;
+}
+
 BOOL PropItem::Read( String& rString, sal_uInt32 nStringType, sal_Bool bAlign )
 {
 	sal_uInt32	i, nItemSize, nType, nItemPos;
@@ -111,36 +123,43 @@
 	{
 		case VT_LPSTR :
 		{
-			if ( (sal_uInt16)nItemSize )
+			if ( nItemSize )
 			{
-				sal_Char* pString = new sal_Char[ (sal_uInt16)nItemSize ];
-				if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-				{
-					nItemSize >>= 1;
-					if ( (sal_uInt16)nItemSize > 1 )
-					{
-						sal_Unicode* pWString = (sal_Unicode*)pString;
-						for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
-							*this >> pWString[ i ];
-						rString = String( pWString, (sal_uInt16)nItemSize - 1 );
-					}
-					else
-						rString = String();
-					bRetValue = sal_True;
-				}
-				else
+				try
 				{
-					SvMemoryStream::Read( pString, (sal_uInt16)nItemSize );
-					if ( pString[ (sal_uInt16)nItemSize - 1 ] == 0 )
+					sal_Char* pString = new sal_Char[ nItemSize ];
+					if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
 					{
-						if ( (sal_uInt16)nItemSize > 1 )
-							rString = String( ByteString( pString ), mnTextEnc );
+						nItemSize >>= 1;
+						if ( nItemSize > 1 )
+						{
+							sal_Unicode* pWString = (sal_Unicode*)pString;
+							for ( i = 0; i < nItemSize; i++ )
+								*this >> pWString[ i ];
+							rString = String( pWString, lcl_getMaxSafeStrLen(nItemSize) );
+						}
 						else
 							rString = String();
 						bRetValue = sal_True;
 					}
+					else
+					{
+						SvMemoryStream::Read( pString, nItemSize );
+						if ( pString[ nItemSize - 1 ] == 0 )
+						{
+							if ( nItemSize > 1 )
+								rString = String( ByteString( pString ), mnTextEnc );
+							else
+								rString = String();
+							bRetValue = sal_True;
+						}
+					}
+					delete[] pString;
+				}
+				catch( const std::bad_alloc& )
+				{
+					DBG_ERROR( "sd PropItem::Read bad alloc" );
 				}
-				delete[] pString;
 			}
 			if ( bAlign )
 				SeekRel( ( 4 - ( nItemSize & 3 ) ) & 3 );		// dword align
@@ -151,18 +170,25 @@
 		{
 			if ( nItemSize )
 			{
-				sal_Unicode* pString = new sal_Unicode[ (sal_uInt16)nItemSize ];
-				for ( i = 0; i < (sal_uInt16)nItemSize; i++ )
-					*this >> pString[ i ];
-				if ( pString[ i - 1 ] == 0 )
+				try
 				{
-					if ( (sal_uInt16)nItemSize > 1 )
-						rString = String( pString, (sal_uInt16)nItemSize - 1 );
-					else
-						rString = String();
-					bRetValue = sal_True;
+					sal_Unicode* pString = new sal_Unicode[ nItemSize ];
+					for ( i = 0; i < nItemSize; i++ )
+						*this >> pString[ i ];
+					if ( pString[ i - 1 ] == 0 )
+					{
+						if ( (sal_uInt16)nItemSize > 1 )
+							rString = String( pString, lcl_getMaxSafeStrLen(nItemSize) );
+						else
+							rString = String();
+						bRetValue = sal_True;
+					}
+					delete[] pString;
+				}
+				catch( const std::bad_alloc& )
+				{
+					DBG_ERROR( "sd PropItem::Read bad alloc" );
 				}
-				delete[] pString;
 			}
 			if ( bAlign && ( nItemSize & 1 ) )
 				SeekRel( 2 );							// dword align
@@ -352,24 +378,31 @@
 		for ( sal_uInt32 i = 0; i < nDictCount; i++ )
 		{
 			aStream >> nId >> nSize;
-			if ( (sal_uInt16)nSize )
+			if ( nSize )
 			{
 				String aString;
 				nPos = aStream.Tell();
-				sal_Char* pString = new sal_Char[ (sal_uInt16)nSize ];
-				aStream.Read( pString, (sal_uInt16)nSize );
-				if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
-				{
-					nSize >>= 1;
-					aStream.Seek( nPos );
-					sal_Unicode* pWString = (sal_Unicode*)pString;
-					for ( i = 0; i < (sal_uInt16)nSize; i++ )
-						aStream >> pWString[ i ];
-					aString = String( pWString, (sal_uInt16)nSize - 1 );
+				try
+				{
+					sal_Char* pString = new sal_Char[ nSize ];
+					aStream.Read( pString, nSize );
+					if ( mnTextEnc == RTL_TEXTENCODING_UCS2 )
+					{
+						nSize >>= 1;
+						aStream.Seek( nPos );
+						sal_Unicode* pWString = (sal_Unicode*)pString;
+						for ( i = 0; i < nSize; i++ )
+							aStream >> pWString[ i ];
+						aString = String( pWString, lcl_getMaxSafeStrLen(nSize) );
+					}
+					else
+						aString = String( ByteString( pString, lcl_getMaxSafeStrLen(nSize) ), mnTextEnc );
+					delete[] pString;
+				}
+				catch( const std::bad_alloc& )
+				{
+					DBG_ERROR( "sd Section::GetDictionary bad alloc" );
 				}
-				else
-					aString = String( ByteString( pString, (sal_uInt16)nSize - 1 ), mnTextEnc );
-				delete[] pString;
 				if ( !aString.Len() )
 					break;
 				aDict.AddProperty( nId, aString );
@@ -503,6 +536,11 @@
 			}
 			if ( nPropSize )
 			{
+				if ( nPropSize > nStrmSize )
+				{
+					nPropCount = 0;
+					break;
+				}
 				pStrm->Seek( nPropOfs + nSecOfs );
 				sal_uInt8* pBuf = new sal_uInt8[ nPropSize ];
 				pStrm->Read( pBuf, nPropSize );
diff -r 5b1ceed28385 tools/source/generic/poly.cxx
--- a/tools/source/generic/poly.cxx	Fri Aug 06 14:53:07 2010 +0200
+++ b/tools/source/generic/poly.cxx	Mon Aug 09 14:04:21 2010 +0200
@@ -246,6 +246,11 @@
 void ImplPolygon::ImplSplit( USHORT nPos, USHORT nSpace, ImplPolygon* pInitPoly )
 {
 	const ULONG 	nSpaceSize = nSpace * sizeof( Point );
+
+	//Can't fit this in :-(, throw ?
+	if (mnPoints + nSpace > USHRT_MAX)
+		return;
+
 	const USHORT	nNewSize = mnPoints + nSpace;
 
 	if( nPos >= mnPoints )