liborcus/0001-Prevent-infinite-loop-in-case-the-magic-number-is-no.patch.1 | 27 +++++++ liborcus/0002-throw-an-exception-instead-of-asserting-on-invalid-i.patch.1 | 30 ++++++++ liborcus/0003-protect-the-self-closing-xml-element-code-against-se.patch.1 | 35 ++++++++++ liborcus/UnpackedTarball_liborcus.mk | 5 + 4 files changed, 97 insertions(+)
New commits: commit 4a9fed87350422091c04e4dd7283d024040126eb Author: Thorsten Behrens <[email protected]> AuthorDate: Fri Aug 17 15:36:07 2018 +0200 Commit: Thorsten Behrens <[email protected]> CommitDate: Fri Aug 17 15:36:07 2018 +0200 liborcus: backport fixes from upstream Since we're stuck functionally to the 0.5.x version here, backport relevant fixes from the upstream project Change-Id: I1531682ec3ec7a22d4cf721fc7bf85a57073ca8e diff --git a/liborcus/0001-Prevent-infinite-loop-in-case-the-magic-number-is-no.patch.1 b/liborcus/0001-Prevent-infinite-loop-in-case-the-magic-number-is-no.patch.1 new file mode 100644 index 000000000000..9b18008ba959 --- /dev/null +++ b/liborcus/0001-Prevent-infinite-loop-in-case-the-magic-number-is-no.patch.1 @@ -0,0 +1,27 @@ +From 8c8cdc53438a46d6f0c889b987353ec82cbe0ea2 Mon Sep 17 00:00:00 2001 +From: Kohei Yoshida <[email protected]> +Date: Sun, 1 Sep 2013 22:28:35 -0400 +Subject: [PATCH 1/3] Prevent infinite loop in case the magic number is not + found. + +(cherry picked from commit b554e16c154b6bf9e64ecc883e134cf5c2301b6f) +--- + src/parser/zip_archive.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parser/zip_archive.cpp b/src/parser/zip_archive.cpp +index e244908b..2e4f5885 100644 +--- a/src/parser/zip_archive.cpp ++++ b/src/parser/zip_archive.cpp +@@ -529,7 +529,7 @@ size_t zip_archive_impl::seek_central_dir() + // Read stream backward and try to find the magic number. + + size_t read_end_pos = m_stream_size; +- while (true) ++ while (read_end_pos) + { + if (read_end_pos < buf.size()) + // Last segment to read. +-- +2.13.7 + diff --git a/liborcus/0002-throw-an-exception-instead-of-asserting-on-invalid-i.patch.1 b/liborcus/0002-throw-an-exception-instead-of-asserting-on-invalid-i.patch.1 new file mode 100644 index 000000000000..dca4d5fe1ff5 --- /dev/null +++ b/liborcus/0002-throw-an-exception-instead-of-asserting-on-invalid-i.patch.1 @@ -0,0 +1,30 @@ +From 704dc974685d0c4c7fe41c1551078a2208ba07bd Mon Sep 17 00:00:00 2001 +From: Markus Mohrhard <[email protected]> +Date: Fri, 23 Dec 2016 01:37:45 +0100 +Subject: [PATCH 2/3] throw an exception instead of asserting on invalid input + +This was found by afl. + +(cherry picked from commit 43805da3c4168ff24b0e6b82041fbe58dc8b4e6d) +--- + include/orcus/csv_parser.hpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/orcus/csv_parser.hpp b/include/orcus/csv_parser.hpp +index 3f80da0e..271f0248 100644 +--- a/include/orcus/csv_parser.hpp ++++ b/include/orcus/csv_parser.hpp +@@ -192,7 +192,9 @@ void csv_parser<_Handler>::row() + return; + } + +- assert(is_delim(c)); ++ if (is_delim(c)) ++ throw csv_parse_error("expected a delimiter"); ++ + next(); + + if (m_config.trim_cell_value) +-- +2.13.7 + diff --git a/liborcus/0003-protect-the-self-closing-xml-element-code-against-se.patch.1 b/liborcus/0003-protect-the-self-closing-xml-element-code-against-se.patch.1 new file mode 100644 index 000000000000..818c01d369cc --- /dev/null +++ b/liborcus/0003-protect-the-self-closing-xml-element-code-against-se.patch.1 @@ -0,0 +1,35 @@ +From 1dcaea9757edd06e0293c4abeea49884e70f09c5 Mon Sep 17 00:00:00 2001 +From: Markus Mohrhard <[email protected]> +Date: Wed, 21 Feb 2018 00:29:03 +0100 +Subject: [PATCH 3/3] protect the self-closing xml element code against + self-closing root elements +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found by Antti Levomäki and Christian Jalio from Forcepoint. + +(cherry picked from commit 12e5d89cbd7101c61fbdf063322203a1590a0ef5) + +Conflicts: + include/orcus/sax_parser.hpp +--- + include/orcus/sax_parser.hpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/orcus/sax_parser.hpp b/include/orcus/sax_parser.hpp +index aa74364e..53c33490 100644 +--- a/include/orcus/sax_parser.hpp ++++ b/include/orcus/sax_parser.hpp +@@ -312,6 +312,8 @@ void sax_parser<_Handler>::element_open(const char* begin_pos) + elem.end_pos = m_char; + m_handler.start_element(elem); + m_handler.end_element(elem); ++ if (!m_nest_level) ++ m_root_elem_open = false; + return; + } + else if (c == '>') +-- +2.13.7 + diff --git a/liborcus/UnpackedTarball_liborcus.mk b/liborcus/UnpackedTarball_liborcus.mk index 062999d2f92c..5f8412bea230 100644 --- a/liborcus/UnpackedTarball_liborcus.mk +++ b/liborcus/UnpackedTarball_liborcus.mk @@ -24,6 +24,11 @@ liborcus_patches += liborcus_0.1.0-dllimport.patch # fdo#63844 liborcus_patches += liborcus-handle-invalid-xml.patch.1 +# backports +liborcus_patches += 0001-Prevent-infinite-loop-in-case-the-magic-number-is-no.patch.1 +liborcus_patches += 0002-throw-an-exception-instead-of-asserting-on-invalid-i.patch.1 +liborcus_patches += 0003-protect-the-self-closing-xml-element-code-against-se.patch.1 + ifeq ($(OS),MACOSX) # no "tac" command on OS X, but "tail -r" liborcus_patches += liborcus_0.1.0-tac.patch _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
