do not access vector elements beyond size, rhbz#847519 related

2013-02-20 00:08:07 +01:00 · 2013-02-20 00:08:07 +01:00 · 15a37413b4
commit 15a37413b4
parent 60d4293e8e
2 changed files with 85 additions and 1 deletions
--- a/0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch
+++ b/0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch
@ -0,0 +1,79 @@
+From e34b40bcd923027a26540e1a215c155ed0753472 Mon Sep 17 00:00:00 2001
+Message-Id: <e34b40bcd923027a26540e1a215c155ed0753472.1361313167.git.erack@redhat.com>
+From: Eike Rathke <erack@redhat.com>
+Date: Tue, 19 Feb 2013 19:22:27 +0100
+Subject: [PATCH] do not access vector elements beyond size, rhbz#847519
+ related
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="------------erAck-patch-parts"
+
+This is a multi-part message in MIME format.
+--------------erAck-patch-parts
+Content-Type: text/plain; charset=UTF-8; format=fixed
+Content-Transfer-Encoding: 8bit
+
+
+The actual bug (crash) is not triggered anymore because the categories
+are assembled differently, nevertheless the code in question could
+expose the same behavior under different preconditions.
+
+Change-Id: Ic37f6b34effaf4e5252e80aab46b021547b36efb
+(cherry picked from commit d1ba2cd612a4c39976e2980c7dc4e3fa38c88470)
+---
+ chart2/source/tools/ExplicitCategoriesProvider.cxx |   24 ++++++++++++-------
+ 1 files changed, 15 insertions(+), 9 deletions(-)
+
+
+--------------erAck-patch-parts
+Content-Type: text/x-patch; name="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch"
+Content-Transfer-Encoding: 8bit
+Content-Disposition: attachment; filename="0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch"
+
+diff --git a/chart2/source/tools/ExplicitCategoriesProvider.cxx b/chart2/source/tools/ExplicitCategoriesProvider.cxx
+index e3d800f..00b481c 100644
+--- a/chart2/source/tools/ExplicitCategoriesProvider.cxx
+++ b/chart2/source/tools/ExplicitCategoriesProvider.cxx
+@@ -353,11 +353,14 @@ Sequence< OUString > lcl_getExplicitSimpleCategories(
+         }
+         for( aOuterIt=rComplexCats.begin(); aOuterIt != aOuterEnd; ++aOuterIt )
+         {
+-            sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt );
+-            if( nCurrentCount< nMaxCategoryCount )
+            if ( !aOuterIt->empty() )
+             {
+-                ComplexCategory& rComplexCategory = aOuterIt->back();
+-                rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount);
+                sal_Int32 nCurrentCount = lcl_getCategoryCount( *aOuterIt );
+                if( nCurrentCount< nMaxCategoryCount )
+                {
+                    ComplexCategory& rComplexCategory = aOuterIt->back();
+                    rComplexCategory.Count += (nMaxCategoryCount-nCurrentCount);
+                }
+             }
+         }
+     }
+@@ -389,12 +392,15 @@ Sequence< OUString > lcl_getExplicitSimpleCategories(
+             OUString aText;
+             for( aOuterIt=aComplexCatsPerIndex.begin() ; aOuterIt != aOuterEnd; ++aOuterIt )
+             {
+-                OUString aAddText = (*aOuterIt)[nN].Text;
+-                if( !aAddText.isEmpty() )
+                if ( static_cast<size_t>(nN) < aOuterIt->size() )
+                 {
+-                    if(!aText.isEmpty())
+-                        aText += aSpace;
+-                    aText += aAddText;
+                    OUString aAddText = (*aOuterIt)[nN].Text;
+                    if( !aAddText.isEmpty() )
+                    {
+                        if(!aText.isEmpty())
+                            aText += aSpace;
+                        aText += aAddText;
+                    }
+                 }
+             }
+             aRet[nN]=aText;
+
+--------------erAck-patch-parts--
+
+
--- a/libreoffice.spec
+++ b/libreoffice.spec
@ -47,7 +47,7 @@ Summary:        Free Software Productivity Suite
 Name:           libreoffice
 Epoch:          1
 Version:        %{libo_version}.3
-Release:        7%{?libo_prerelease}%{?dist}
+Release:        8%{?libo_prerelease}%{?dist}
 License:        (MPLv1.1 or LGPLv3+) and LGPLv3 and LGPLv2+ and BSD and (MPLv1.1 or GPLv2 or LGPLv2 or Netscape) and Public Domain and ASL 2.0 and Artistic and MPLv2.0
 Group:          Applications/Productivity
 URL:            http://www.documentfoundation.org/develop
@ -263,6 +263,7 @@ Patch23: 0001-Work-around-problem-with-boost-shared_array-NULL-cto.patch
 Patch24: 0001-fix-compile-for-change-to-boost-1.53.0-declaring-sma.patch
 Patch25: 0001-fdo-60491-scp2-always-package-emboleobj-library-on-n.patch
 Patch26: 0001-Resolves-rhbz-895196-sc-filter-float-a11y-parent-of-.patch
+Patch27: 0001-do-not-access-vector-elements-beyond-size-rhbz-84751.patch

 %define instdir %{_libdir}
 %define baseinstdir %{instdir}/libreoffice
@ -1012,6 +1013,7 @@ mv -f redhat.soc extras/source/palettes/standard.soc
 %patch24 -p1 -b .fix-compile-for-change-to-boost-1.53.0-declaring-sma.patch
 %patch25 -p1 -b .fdo-60491-scp2-always-package-emboleobj-library-on-n.patch
 %patch26 -p1 -b .rhbz-895196-sc-filter-float-a11y-parent-of-.patch
+%patch27 -p1 -b .do-not-access-vector-elements-beyond-size-rhbz-84751.patch

 # TODO: check this
 # these are horribly incomplete--empty translations and copied english
@ -2079,6 +2081,9 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
 %endif

 %changelog
+* Wed Feb 20 2013 Eike Rathke <erack@redhat.com> - 1:4.0.0.3-8-UNBUILT
+- do not access vector elements beyond size, rhbz#847519 related
+
 * Tue Feb 19 2013 Caolán McNamara <caolanm@redhat.com> - 1:4.0.0.3-7
 - Resolves: rhbz#895196 sc filter float a11y parent of itself