configure.ac | 2 cppcanvas/source/mtfrenderer/emfplus.cxx | 2 download.lst | 4 external/nss/UnpackedTarball_nss.mk | 3 external/nss/clang-cl.patch.0 | 14 external/nss/nss-chromium-nss-static.patch | 487 -- external/nss/nss-more-static.patch | 39 external/nss/nss.fix-freebl-add-lcc-support.patch.1 | 11 external/nss/nss.patch | 13 filter/source/msfilter/msdffimp.cxx | 32 filter/source/xsltfilter/OleHandler.cxx | 2 include/sfx2/objsh.hxx | 2 oox/source/drawingml/shapecontext.cxx | 4 oox/source/shape/WpsContext.cxx | 13 oox/source/vml/vmlshape.cxx | 3 sc/source/core/data/column3.cxx | 2 sc/source/core/data/document.cxx | 2 sc/source/filter/xml/XMLTableShapeImportHelper.cxx | 2 sc/source/ui/docshell/externalrefmgr.cxx | 53 scripting/source/protocolhandler/scripthandler.cxx | 9 scripting/source/pyprov/pythonscript.py | 16 sd/source/filter/ppt/pptin.cxx | 2 sd/source/ui/slidesorter/controller/SlsInsertionIndicatorHandler.cxx | 5 sfx2/source/doc/objmisc.cxx | 55 sfx2/source/notify/eventsupplier.cxx | 18 starmath/source/mathtype.cxx | 4 svl/source/numbers/zformat.cxx | 4 svx/source/svdraw/svdopath.cxx | 3 sw/inc/anchoredobject.hxx | 1 sw/qa/core/data/odt/fail/forcepoint-xstor-1.odt |binary sw/qa/core/data/ooxml/fail/ofz9934-1.docx |binary sw/qa/core/data/rtf/fail/forcepoint-4.rtf | 1779 ++++++++++ sw/qa/core/data/ww8/fail/forcepoint-44.doc |binary sw/qa/core/data/ww8/indeterminate/ofz7322-1.doc |binary sw/qa/core/data/ww8/pass/forcepoint-layout-1.doc |binary sw/qa/extras/uiwriter/data/tdf114536.odt |binary sw/qa/extras/uiwriter/uiwriter.cxx | 9 sw/source/core/doc/DocumentRedlineManager.cxx | 4 sw/source/core/doc/docbm.cxx | 9 sw/source/core/inc/layouter.hxx | 4 sw/source/core/layout/anchoredobject.cxx | 9 sw/source/core/layout/flowfrm.cxx | 4 sw/source/core/layout/fly.cxx | 3 sw/source/core/layout/layouter.cxx | 15 sw/source/core/layout/objstmpconsiderwrapinfl.cxx | 27 sw/source/core/layout/objstmpconsiderwrapinfl.hxx | 1 sw/source/core/layout/pagechg.cxx | 2 sw/source/core/layout/ssfrm.cxx | 5 sw/source/core/layout/trvlfrm.cxx | 8 sw/source/core/text/itrform2.cxx | 13 sw/source/core/unocore/unostyle.cxx | 3 sw/source/filter/ww8/ww8graf.cxx | 13 sw/source/filter/ww8/ww8par.cxx | 3 vcl/headless/svpgdi.cxx | 15 vcl/inc/regionband.hxx | 3 vcl/source/gdi/region.cxx | 8 vcl/source/gdi/regionband.cxx | 27 writerfilter/source/dmapper/DomainMapperTableHandler.cxx | 7 writerfilter/source/dmapper/DomainMapper_Impl.cxx | 28 writerfilter/source/ooxml/OOXMLDocumentImpl.cxx | 6 writerfilter/source/ooxml/OOXMLStreamImpl.cxx | 20 writerfilter/source/rtftok/rtfsdrimport.cxx | 2 xmlsecurity/source/helper/xmlsignaturehelper.cxx | 30 63 files changed, 2180 insertions(+), 684 deletions(-)
New commits: commit b49a932aa80849f62b0c215ac09b304a6ad4d9a0 Author: Andras Timar <[email protected]> AuthorDate: Thu Aug 22 16:32:18 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:32 2019 +0200 build fix Change-Id: Iecb4be601fe1cb4d3774795be66a1a0f8c33ca3b diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx index 97aa5f8262e0..809ff89a01d9 100644 --- a/sw/source/filter/ww8/ww8par.cxx +++ b/sw/source/filter/ww8/ww8par.cxx @@ -5490,8 +5490,8 @@ sal_uLong SwWW8ImplReader::CoreLoad(WW8Glossary *pGloss) UpdateFields(); - m_xWFlyPara.reset(); - m_xSFlyPara.reset(); + DELETEZ(m_pWFlyPara); + DELETEZ(m_pSFlyPara); // delete the pam before the call for hide all redlines (Bug 73683) if (m_bNewDoc) commit f717b73d129aaa6a602fdccc6f32952ae7065caf Author: Andras Timar <[email protected]> AuthorDate: Thu Aug 22 16:04:27 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:27 2019 +0200 build fix Change-Id: I82ae070fd1597fcdeae420b28f506347eb47b005 diff --git a/writerfilter/source/ooxml/OOXMLStreamImpl.cxx b/writerfilter/source/ooxml/OOXMLStreamImpl.cxx index 3398c216093f..0ee4e73dd7f2 100644 --- a/writerfilter/source/ooxml/OOXMLStreamImpl.cxx +++ b/writerfilter/source/ooxml/OOXMLStreamImpl.cxx @@ -319,7 +319,7 @@ bool OOXMLStreamImpl::lcl_getTarget(const uno::Reference<embed::XRelationshipAcc // simple string concatination here to handle that. uno::Reference<uri::XUriReference> xPart = xFac->parse(sMyTarget); uno::Reference<uri::XUriReference> xAbs = xFac->makeAbsolute(xBase, xPart, true, uri::RelativeUriExcessParentSegments_RETAIN); - if (!xAbs) + if (!xAbs.is()) { //it was invalid gibberish bFound = false; commit 43be4d2034b0fb5e881a044af88f61586df469c1 Author: Caolán McNamara <[email protected]> AuthorDate: Sun Nov 26 20:45:10 2017 +0000 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:22 2019 +0200 ofz#4436 check if seek succeeded Change-Id: I56d9692647b28c706b56ccacf08d494b3d830d94 Reviewed-on: https://gerrit.libreoffice.org/45296 Tested-by: Jenkins <[email protected]> Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 765ff606426251f90aff5d1fc89f01ed7594ed59) diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index 93f40cbbb6b1..fea172a4c20d 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -6046,7 +6046,10 @@ bool SvxMSDffManager::GetShapeGroupContainerData( SvStream& rSt, return false; } else - rSt.SeekRel( nLength ); + { + if (!checkSeek(rSt, rSt.Tell() + nLength)) + return false; + } nReadSpGrCont += nLength; } while( nReadSpGrCont < nLenShapeGroupCont ); diff --git a/sd/source/filter/ppt/pptin.cxx b/sd/source/filter/ppt/pptin.cxx index 81d0e8044faa..69825ed88f3a 100644 --- a/sd/source/filter/ppt/pptin.cxx +++ b/sd/source/filter/ppt/pptin.cxx @@ -854,7 +854,7 @@ bool ImplSdPPTImport::Import() bool bSuccess = aHd.SeekToEndOfRecord(rStCtrl); if (!bSuccess) { - SAL_WARN("filter.ms", "Count not seek to end of record"); + SAL_WARN("filter.ms", "Could not seek to end of record"); break; } } commit 611a73229bcd472cea132cc93811885c25b09426 Author: Caolán McNamara <[email protected]> AuthorDate: Sat Apr 8 20:31:35 2017 +0100 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:17 2019 +0200 limit symbol visibility Change-Id: I54d5fbe1cd9d5ae94cb134f08fc00593c802ebee (cherry picked from commit 79890a6d1bccbba8c40e42566c3d437d7a1aaace) diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index 5e873f8a6147..93f40cbbb6b1 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -222,10 +222,13 @@ DffPropertyReader::DffPropertyReader( const SvxMSDffManager& rMan ) InitializePropSet( DFF_msofbtOPT ); } -bool checkSeek(SvStream &rSt, sal_uInt32 nOffset) +namespace { - const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize()); - return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset); + bool checkSeek(SvStream &rSt, sal_uInt32 nOffset) + { + const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize()); + return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset); + } } void DffPropertyReader::SetDefaultPropSet( SvStream& rStCtrl, sal_uInt32 nOffsDgg ) const commit d106bf03605f1a253edefb52e96f3256567cf4e1 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Apr 7 20:49:52 2017 +0100 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:11 2019 +0200 check escher seeks Change-Id: I4cb523e8654defa25e75ebd54f1e125ea02e1cf9 Reviewed-on: https://gerrit.libreoffice.org/36281 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit a1147a34d85742fd5d9410efac6fc59ac2fd1574) diff --git a/filter/source/msfilter/msdffimp.cxx b/filter/source/msfilter/msdffimp.cxx index a7c6a5a2860a..5e873f8a6147 100644 --- a/filter/source/msfilter/msdffimp.cxx +++ b/filter/source/msfilter/msdffimp.cxx @@ -222,13 +222,20 @@ DffPropertyReader::DffPropertyReader( const SvxMSDffManager& rMan ) InitializePropSet( DFF_msofbtOPT ); } +bool checkSeek(SvStream &rSt, sal_uInt32 nOffset) +{ + const sal_uInt64 nMaxSeek(rSt.Tell() + rSt.remainingSize()); + return (nOffset <= nMaxSeek && rSt.Seek(nOffset) == nOffset); +} + void DffPropertyReader::SetDefaultPropSet( SvStream& rStCtrl, sal_uInt32 nOffsDgg ) const { delete pDefaultPropSet; sal_uInt32 nMerk = rStCtrl.Tell(); - rStCtrl.Seek( nOffsDgg ); + bool bOk = checkSeek(rStCtrl, nOffsDgg); DffRecordHeader aRecHd; - bool bOk = ReadDffRecordHeader( rStCtrl, aRecHd ); + if (bOk) + bOk = ReadDffRecordHeader( rStCtrl, aRecHd ); if (bOk && aRecHd.nRecType == DFF_msofbtDggContainer) { if ( SvxMSDffManager::SeekToRec( rStCtrl, DFF_msofbtOPT, aRecHd.GetRecEndFilePos() ) ) @@ -5839,13 +5846,10 @@ void SvxMSDffManager::CheckTxBxStoryChain() and remembering the File-Offsets for each Blip ============ ******************************************************************************/ -void SvxMSDffManager::GetCtrlData( sal_uInt32 nOffsDgg_ ) +void SvxMSDffManager::GetCtrlData(sal_uInt32 nOffsDggL) { - // absolutely remember Start Offset, in case we have to position again - sal_uInt32 nOffsDggL = nOffsDgg_; - // position control stream - if (nOffsDggL != rStCtrl.Seek(nOffsDggL)) + if (!checkSeek(rStCtrl, nOffsDggL)) return; sal_uInt8 nVer; commit 852eb3a46c1f8ad67c39e88fae399cc39e70fa65 Author: Andras Timar <[email protected]> AuthorDate: Thu Aug 22 15:31:45 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:56:04 2019 +0200 build fix Change-Id: Ic0be0c6fd0d498b3f0512461480f166ad3f7b5f8 diff --git a/filter/source/xsltfilter/OleHandler.cxx b/filter/source/xsltfilter/OleHandler.cxx index 057b69ada620..807a8a04fed1 100644 --- a/filter/source/xsltfilter/OleHandler.cxx +++ b/filter/source/xsltfilter/OleHandler.cxx @@ -97,7 +97,7 @@ namespace XSLT OString SAL_CALL OleHandler::encodeSubStorage(const OUString& streamName) { - if (!m_storage || !m_storage->hasByName(streamName)) + if (!m_storage.is() || !m_storage->hasByName(streamName)) { return "Not Found:";// + streamName; } commit a46ff48f8ac755eee75f2f3a4b80b41a4f87cb7d Author: Andras Timar <[email protected]> AuthorDate: Thu Aug 22 14:00:34 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Fri Aug 23 14:55:58 2019 +0200 Bump version to 5.3-66 Change-Id: Ibd4ee1aba3c4c48d9d8c12897331404a2790b9eb diff --git a/configure.ac b/configure.ac index ea348d28215f..da84e3505b29 100644 --- a/configure.ac +++ b/configure.ac @@ -9,7 +9,7 @@ dnl in order to create a configure script. # several non-alphanumeric characters, those are split off and used only for the # ABOUTBOXPRODUCTVERSIONSUFFIX in openoffice.lst. Why that is necessary, no idea. -AC_INIT([Collabora Office],[5.3.10.65],[],[],[https://collaboraoffice.com/]) +AC_INIT([Collabora Office],[5.3.10.66],[],[],[https://collaboraoffice.com/]) AC_PREREQ([2.59]) commit 02d2ea93fb5b5fd769c059cf378dcb3c6a3e08a6 Author: Caolán McNamara <[email protected]> AuthorDate: Mon Aug 12 20:32:54 2019 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:25:28 2019 +0200 construct final url from parsed output Change-Id: Ifd733625a439685ad307603eb2b00bf463eb9ca9 Reviewed-on: https://gerrit.libreoffice.org/77373 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit 87959e5deea6d33cd35dbb3b8423056f9566710e) Reviewed-on: https://gerrit.libreoffice.org/77377 (cherry picked from commit c03acb9b8a97254cfcf7c45ef920b93b7f1dd344) diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py index 48f5bd8fee15..19ad74a9d601 100644 --- a/scripting/source/pyprov/pythonscript.py +++ b/scripting/source/pyprov/pythonscript.py @@ -224,7 +224,13 @@ class MyUriHelper: sStorageUri = sStorageUri.replace( "|", "/" ) # path to the .py file, relative to the base - sFileUri = sStorageUri[0:sStorageUri.find("$")] + funcNameStart = sStorageUri.find("$") + if funcNameStart != -1: + sFileUri = sStorageUri[0:funcNameStart] + sFuncName = sStorageUri[funcNameStart+1:] + else: + sFileUri = sStorageUri + xFileUri = self.m_uriRefFac.parse(sFileUri) if not xFileUri: message = "pythonscript: invalid relative uri '" + sFileUri+ "'" @@ -241,7 +247,9 @@ class MyUriHelper: log.debug( message ) raise RuntimeException( message ) - ret = sBaseUri + sStorageUri + ret = sAbsScriptUri + if funcNameStart != -1: + ret = ret + "$" + sFuncName log.debug( "converting scriptURI="+scriptURI + " to storageURI=" + ret ) return ret except UnoException as e: commit 9a2d189a420d4d040b7f1e4aed42a5c9c7b47fb6 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 7 12:58:01 2019 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:25:19 2019 +0200 expand pyuno path separators Change-Id: Ic97649ed6d4be595b308922c7bdc880cbb60b239 Reviewed-on: https://gerrit.libreoffice.org/77102 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit 75903a0298218f89a199a5ac151ee0166f4469d7) diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index ecf8bfddefa2..e9d693859a76 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -1443,7 +1443,8 @@ bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) if (!sfUri.is()) return false; - OUString sScript = sfUri->getName(); + // pyuno encodes path separator as | + OUString sScript = sfUri->getName().replace('|', '/'); // check if any path portion matches LibreLogo and ban it if it does sal_Int32 nIndex = 0; commit a954c583d5dd14775dfb548096ab8a5e6d81bd57 Author: Stephan Bergmann <[email protected]> AuthorDate: Tue Aug 6 13:29:22 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:24:59 2019 +0200 Properly obtain location Reviewed-on: https://gerrit.libreoffice.org/77019 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit a9cde2557242a0c343d99533f3ee032599c66f42) Reviewed-on: https://gerrit.libreoffice.org/77023 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 28c6af3ddc283ca9c5712359a9abcb385c1575b4) Change-Id: I9fb0d883a3623394343cd54ef61e5610544198c8 diff --git a/scripting/source/protocolhandler/scripthandler.cxx b/scripting/source/protocolhandler/scripthandler.cxx index 3f17347aa9ca..53cdad9d738c 100644 --- a/scripting/source/protocolhandler/scripthandler.cxx +++ b/scripting/source/protocolhandler/scripthandler.cxx @@ -51,6 +51,7 @@ #include "com/sun/star/uri/XUriReference.hpp" #include "com/sun/star/uri/UriReferenceFactory.hpp" #include "com/sun/star/uri/XVndSunStarScriptUrl.hpp" +#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp> #include <memory> @@ -146,8 +147,12 @@ void SAL_CALL ScriptProtocolHandler::dispatchWithNotification( { try { - bool bIsDocumentScript = ( aURL.Complete.indexOf( "document" ) !=-1 ); - // TODO: isn't this somewhat strange? This should be a test for a location=document parameter, shouldn't it? + css::uno::Reference<css::uri::XUriReferenceFactory> urifac( + css::uri::UriReferenceFactory::create(m_xContext)); + css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri( + urifac->parse(aURL.Complete), css::uno::UNO_QUERY_THROW); + auto const loc = uri->getParameter("location"); + bool bIsDocumentScript = loc == "document"; if ( bIsDocumentScript ) { diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index 4af9bf24f2da..ecf8bfddefa2 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -1466,19 +1466,22 @@ ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptCon OSL_TRACE( "in CallXScript" ); ErrCode nErr = ERRCODE_NONE; - bool bIsDocumentScript = ( _rScriptURL.indexOf( "location=document" ) >= 0 ); - // TODO: we should parse the URL, and check whether there is a parameter with this name. - // Otherwise, we might find too much. - if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) - return ERRCODE_IO_ACCESSDENIED; - - if ( UnTrustedScript(_rScriptURL) ) - return ERRCODE_IO_ACCESSDENIED; - bool bCaughtException = false; Any aException; try { + css::uno::Reference<css::uri::XUriReferenceFactory> urifac( + css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())); + css::uno::Reference<css::uri::XVndSunStarScriptUrlReference> uri( + urifac->parse(_rScriptURL), css::uno::UNO_QUERY_THROW); + auto const loc = uri->getParameter("location"); + bool bIsDocumentScript = loc == "document"; + if ( bIsDocumentScript && !lcl_isScriptAccessAllowed_nothrow( _rxScriptContext ) ) + return ERRCODE_IO_ACCESSDENIED; + + if ( UnTrustedScript(_rScriptURL) ) + return ERRCODE_IO_ACCESSDENIED; + // obtain/create a script provider Reference< provider::XScriptProvider > xScriptProvider; Reference< provider::XScriptProviderSupplier > xSPS( _rxScriptContext, UNO_QUERY ); commit 2a64360f9ebffcd4295001ae20a8591bc3b96106 Author: Stephan Bergmann <[email protected]> AuthorDate: Sat Aug 3 16:37:48 2019 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:24:22 2019 +0200 keep name percent-encoded Change-Id: I470c4b24192c3e3c9b556a9bbb3b084359e0033b Reviewed-on: https://gerrit.libreoffice.org/77006 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 315c51731384230194af26b86a976bf5d06c9dcc) diff --git a/scripting/source/pyprov/pythonscript.py b/scripting/source/pyprov/pythonscript.py index d96a7afcba6f..48f5bd8fee15 100644 --- a/scripting/source/pyprov/pythonscript.py +++ b/scripting/source/pyprov/pythonscript.py @@ -219,7 +219,9 @@ class MyUriHelper: # path to the .py file + "$functionname, arguments, etc xStorageUri = self.m_uriRefFac.parse(scriptURI) - sStorageUri = xStorageUri.getName().replace( "|", "/" ); + # getName will apply url-decoding to the name, so encode back + sStorageUri = xStorageUri.getName().replace("%", "%25") + sStorageUri = sStorageUri.replace( "|", "/" ) # path to the .py file, relative to the base sFileUri = sStorageUri[0:sStorageUri.find("$")] commit c49718ffd58b94a3ee08de2aa77a4495128a64bb Author: Eike Rathke <[email protected]> AuthorDate: Thu Jul 11 15:50:07 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:19:54 2019 +0200 Postpone loading of all external references, including INDIRECT() ... which can be constructed with an arbitrary URI text string not an svExternal* token type, until link updates are allowed. Reviewed-on: https://gerrit.libreoffice.org/75422 Reviewed-by: Eike Rathke <[email protected]> Tested-by: Jenkins (cherry picked from commit b824b23860b2cf533d4f2428d4a750bd72576181) Reviewed-on: https://gerrit.libreoffice.org/76304 Reviewed-by: Thorsten Behrens <[email protected]> Tested-by: Thorsten Behrens <[email protected]> Change-Id: I2ce4de415ff99ace04c083c36c1383d76a4ef40d (cherry picked from commit 31b1d2af8ce01804049168b7b0317d93d77a42d7) (cherry picked from commit e374cd045665226e0af82e1ba787bcb2a3879d31) diff --git a/sc/source/ui/docshell/externalrefmgr.cxx b/sc/source/ui/docshell/externalrefmgr.cxx index ba4466386f47..48ef2e80ebd7 100644 --- a/sc/source/ui/docshell/externalrefmgr.cxx +++ b/sc/source/ui/docshell/externalrefmgr.cxx @@ -133,11 +133,12 @@ struct UpdateFormulaCell : public unary_function<ScFormulaCell*, void> { void operator() (ScFormulaCell* pCell) const { - // Check to make sure the cell really contains ocExternalRef. + // Check to make sure the cell really contains svExternal*. // External names, external cell and range references all have a - // ocExternalRef token. + // token of svExternal*. Additionally check for INDIRECT() that can be + // called with any constructed URI string. ScTokenArray* pCode = pCell->GetCode(); - if (!pCode->HasExternalRef()) + if (!pCode->HasExternalRef() && !pCode->HasOpCode(ocIndirect)) return; if (pCode->GetCodeError() != FormulaError::NONE) @@ -1675,6 +1676,17 @@ static std::unique_ptr<ScTokenArray> lcl_fillEmptyMatrix(const ScRange& rRange) return pArray; } +namespace { +bool isLinkUpdateAllowedInDoc(const ScDocument& rDoc) +{ + SfxObjectShell* pDocShell = rDoc.GetDocumentShell(); + if (!pDocShell) + return false; + + return pDocShell->GetEmbeddedObjectContainer().getUserAllowsLinkUpdate(); +} +} + ScExternalRefManager::ScExternalRefManager(ScDocument* pDoc) : mpDoc(pDoc), mbInReferenceMarking(false), @@ -1964,8 +1976,19 @@ ScExternalRefCache::TokenRef ScExternalRefManager::getSingleRefToken( pSrcDoc = getSrcDocument(nFileId); if (!pSrcDoc) { - // Source document not reachable. Throw a reference error. - pToken.reset(new FormulaErrorToken(FormulaError::NoRef)); + // Source document not reachable. +#if 0 + if (!isLinkUpdateAllowedInDoc(*mpDoc)) + { + // Indicate with specific error. + pToken.reset(new FormulaErrorToken(FormulaError::LinkFormulaNeedingCheck)); + } + else +#endif + { + // Throw a reference error. + pToken.reset(new FormulaErrorToken(FormulaError::NoRef)); + } return pToken; } @@ -2172,15 +2195,6 @@ void insertRefCellByIterator( } } -bool IsLinkUpdateAllowedInDoc(const ScDocument& rDoc) -{ - SfxObjectShell* pDocShell = rDoc.GetDocumentShell(); - if (!pDocShell) - return false; - - return pDocShell->GetEmbeddedObjectContainer().getUserAllowsLinkUpdate(); -} - } void ScExternalRefManager::insertRefCell(sal_uInt16 nFileId, const ScAddress& rCell) @@ -2390,8 +2404,8 @@ ScDocument* ScExternalRefManager::getInMemorySrcDocument(sal_uInt16 nFileId) if (!pFileName) return nullptr; - // Do not load document until it was allowed - if (!IsLinkUpdateAllowedInDoc(*mpDoc)) + // Do not load document until it was allowed. + if (!isLinkUpdateAllowedInDoc(*mpDoc)) return nullptr; ScDocument* pSrcDoc = nullptr; @@ -2500,6 +2514,10 @@ SfxObjectShellRef ScExternalRefManager::loadSrcDocument(sal_uInt16 nFileId, OUSt if (!isFileLoadable(aFile)) return nullptr; + // Do not load document until it was allowed. + if (!isLinkUpdateAllowedInDoc(*mpDoc)) + return nullptr; + OUString aOptions = pFileData->maFilterOptions; if ( !pFileData->maFilterName.isEmpty() ) rFilter = pFileData->maFilterName; // don't overwrite stored filter with guessed filter @@ -2638,9 +2656,9 @@ void ScExternalRefManager::maybeLinkExternalFile( sal_uInt16 nFileId, bool bDefe aOptions = pFileData->maFilterOptions; } - // Filter detection may access external links; defer it until we are allowed + // Filter detection may access external links; defer it until we are allowed. if (!bDeferFilterDetection) - bDeferFilterDetection = !IsLinkUpdateAllowedInDoc(*mpDoc); + bDeferFilterDetection = !isLinkUpdateAllowedInDoc(*mpDoc); // If a filter was already set (for example, loading the cached table), // don't call GetFilterName which has to access the source file. commit 28c992588e690299451275fe02272bcd09bd4bc0 Author: Mike Kaganski <[email protected]> AuthorDate: Tue Jul 9 18:44:42 2019 +1000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:19:47 2019 +0200 Postpone filter detection until link update is allowed Change-Id: I85b2185e550f2a133ceb485241ef513b40593e34 Reviewed-on: https://gerrit.libreoffice.org/75301 Tested-by: Jenkins Reviewed-by: Mike Kaganski <[email protected]> (cherry picked from commit 03c708bf085f91480c014d7fa31e7a317b2c7b8f) Reviewed-on: https://gerrit.libreoffice.org/76303 Reviewed-by: Thorsten Behrens <[email protected]> Tested-by: Thorsten Behrens <[email protected]> (cherry picked from commit 43bf332aeede732557378e81765f29b704b17188) (cherry picked from commit 73176974d613b01bdf5223b93cf2705d3fd8c155) diff --git a/sc/source/ui/docshell/externalrefmgr.cxx b/sc/source/ui/docshell/externalrefmgr.cxx index af1a27e5043f..ba4466386f47 100644 --- a/sc/source/ui/docshell/externalrefmgr.cxx +++ b/sc/source/ui/docshell/externalrefmgr.cxx @@ -2172,6 +2172,15 @@ void insertRefCellByIterator( } } +bool IsLinkUpdateAllowedInDoc(const ScDocument& rDoc) +{ + SfxObjectShell* pDocShell = rDoc.GetDocumentShell(); + if (!pDocShell) + return false; + + return pDocShell->GetEmbeddedObjectContainer().getUserAllowsLinkUpdate(); +} + } void ScExternalRefManager::insertRefCell(sal_uInt16 nFileId, const ScAddress& rCell) @@ -2382,13 +2391,8 @@ ScDocument* ScExternalRefManager::getInMemorySrcDocument(sal_uInt16 nFileId) return nullptr; // Do not load document until it was allowed - SfxObjectShell* pDocShell = mpDoc->GetDocumentShell(); - if ( pDocShell ) - { - const comphelper::EmbeddedObjectContainer& rContainer = pDocShell->GetEmbeddedObjectContainer(); - if ( !rContainer.getUserAllowsLinkUpdate() ) - return nullptr; - } + if (!IsLinkUpdateAllowedInDoc(*mpDoc)) + return nullptr; ScDocument* pSrcDoc = nullptr; ScDocShell* pShell = static_cast<ScDocShell*>(SfxObjectShell::GetFirst(checkSfxObjectShell<ScDocShell>, false)); @@ -2633,6 +2637,11 @@ void ScExternalRefManager::maybeLinkExternalFile( sal_uInt16 nFileId, bool bDefe aFilter = pFileData->maFilterName; aOptions = pFileData->maFilterOptions; } + + // Filter detection may access external links; defer it until we are allowed + if (!bDeferFilterDetection) + bDeferFilterDetection = !IsLinkUpdateAllowedInDoc(*mpDoc); + // If a filter was already set (for example, loading the cached table), // don't call GetFilterName which has to access the source file. // If filter detection is deferred, the next successfull loadSrcDocument() commit a49c86b4cbf52eecd43ed236cae9028476424eff Author: Caolán McNamara <[email protected]> AuthorDate: Fri Jul 26 13:25:31 2019 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:19:41 2019 +0200 decode url escape codes and check each path segment Change-Id: Ie8f7cef912e8dacbc2a0bca73534a7a242a53ca1 Reviewed-on: https://gerrit.libreoffice.org/76378 Reviewed-by: Stephan Bergmann <[email protected]> Tested-by: Jenkins (cherry picked from commit 7942929685fafb0f9c82feb8da7279e5103c87f0) Reviewed-on: https://gerrit.libreoffice.org/76451 Reviewed-by: Thorsten Behrens <[email protected]> Tested-by: Thorsten Behrens <[email protected]> (cherry picked from commit aab62f2b21c331ff8c31b7c856d5e59080b9d64a) (cherry picked from commit 3098810911ccf76da1591d8f6cfceebfda13dcbd) diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index 7655e73f5c84..4af9bf24f2da 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -54,6 +54,8 @@ #include <com/sun/star/script/provider/XScriptProvider.hpp> #include <com/sun/star/script/provider/XScriptProviderSupplier.hpp> #include <com/sun/star/ucb/SimpleFileAccess.hpp> +#include <com/sun/star/uri/UriReferenceFactory.hpp> +#include <com/sun/star/uri/XVndSunStarScriptUrlReference.hpp> #include <com/sun/star/util/XModifiable.hpp> #include <toolkit/helper/vclunohelper.hxx> @@ -1430,7 +1432,32 @@ namespace // don't allow LibreLogo to be used with our mouseover/etc dom-alike events bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) { - return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); + if (!rScriptURL.startsWith("vnd.sun.star.script:")) + return false; + + // ensure URL Escape Codes are decoded + css::uno::Reference<css::uri::XUriReference> uri( + css::uri::UriReferenceFactory::create(comphelper::getProcessComponentContext())->parse(rScriptURL)); + css::uno::Reference<css::uri::XVndSunStarScriptUrl> sfUri(uri, css::uno::UNO_QUERY); + + if (!sfUri.is()) + return false; + + OUString sScript = sfUri->getName(); + + // check if any path portion matches LibreLogo and ban it if it does + sal_Int32 nIndex = 0; + do + { + OUString aToken = sScript.getToken(0, '/', nIndex); + if (aToken.startsWithIgnoreAsciiCase("LibreLogo")) + { + return true; + } + } + while (nIndex >= 0); + + return false; } ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, commit 808898411a208887ff64aecbac415354404c7128 Author: Caolán McNamara <[email protected]> AuthorDate: Tue Jul 23 15:31:05 2019 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:19:35 2019 +0200 expand LibreLogo check to global events Reviewed-on: https://gerrit.libreoffice.org/76189 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 4a66c7eda6ccde26a42c4e31725248c59940255d) Change-Id: I7f436983ba0eb4b76b02d08ee52626e54b103d5f Reviewed-on: https://gerrit.libreoffice.org/76305 Reviewed-by: Thorsten Behrens <[email protected]> Tested-by: Thorsten Behrens <[email protected]> (cherry picked from commit b14742734481ae0a4731989a99db487d8ae1986a) (cherry picked from commit 139d6207488d5e9ae7904f9ea07f058c531898ef) diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx index ab885358b66f..331ee58cf252 100644 --- a/include/sfx2/objsh.hxx +++ b/include/sfx2/objsh.hxx @@ -402,6 +402,8 @@ public: */ bool AdjustMacroMode(); + static bool UnTrustedScript(const OUString& rScriptURL); + SvKeyValueIterator* GetHeaderAttributes(); void ClearHeaderAttributesForSourceViewHack(); void SetHeaderAttributesForSourceViewHack(); diff --git a/sfx2/source/doc/objmisc.cxx b/sfx2/source/doc/objmisc.cxx index 881d0a3bcad6..7655e73f5c84 100644 --- a/sfx2/source/doc/objmisc.cxx +++ b/sfx2/source/doc/objmisc.cxx @@ -1427,16 +1427,12 @@ namespace } } -namespace { - // don't allow LibreLogo to be used with our mouseover/etc dom-alike events -bool UnTrustedScript(const OUString& rScriptURL) +bool SfxObjectShell::UnTrustedScript(const OUString& rScriptURL) { return rScriptURL.startsWithIgnoreAsciiCase("vnd.sun.star.script:LibreLogo"); } -} - ErrCode SfxObjectShell::CallXScript( const Reference< XInterface >& _rxScriptContext, const OUString& _rScriptURL, const Sequence< Any >& aParams, Any& aRet, Sequence< sal_Int16 >& aOutParamIndex, Sequence< Any >& aOutParam, bool bRaiseError, const css::uno::Any* pCaller ) { diff --git a/sfx2/source/notify/eventsupplier.cxx b/sfx2/source/notify/eventsupplier.cxx index aa94e1b8e07f..5c1e470106c8 100644 --- a/sfx2/source/notify/eventsupplier.cxx +++ b/sfx2/source/notify/eventsupplier.cxx @@ -213,18 +213,24 @@ void SfxEvents_Impl::Execute( uno::Any& aEventData, const document::DocumentEven else if (aType == "Service" || aType == "Script") { - if ( !aScript.isEmpty() ) + bool bAllowed = false; + util::URL aURL; + if (!aScript.isEmpty()) { - SfxViewFrame* pView = pDoc ? - SfxViewFrame::GetFirst( pDoc ) : - SfxViewFrame::Current(); - uno::Reference < util::XURLTransformer > xTrans( util::URLTransformer::create( ::comphelper::getProcessComponentContext() ) ); - util::URL aURL; aURL.Complete = aScript; xTrans->parseStrict( aURL ); + bAllowed = !SfxObjectShell::UnTrustedScript(aURL.Complete); + } + + if (bAllowed) + { + SfxViewFrame* pView = pDoc ? + SfxViewFrame::GetFirst( pDoc ) : + SfxViewFrame::Current(); + uno::Reference < frame::XDispatchProvider > xProv; commit f217a91242fde65de357c28f2b674c745f63dd3d Author: Caolán McNamara <[email protected]> AuthorDate: Mon Sep 3 17:20:21 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:40 2019 +0200 ofz#10198 reset uncommitted fly stuff & pams before applying redlining Change-Id: I2a2587ec4590926f7cffc2a4d58a22d9d5f19c99 Reviewed-on: https://gerrit.libreoffice.org/59947 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins (cherry picked from commit 887ee9111f42847406c5ffc85a0ba635080de3de) diff --git a/sw/source/filter/ww8/ww8par.cxx b/sw/source/filter/ww8/ww8par.cxx index 4ea22bf68526..97aa5f8262e0 100644 --- a/sw/source/filter/ww8/ww8par.cxx +++ b/sw/source/filter/ww8/ww8par.cxx @@ -5490,6 +5490,9 @@ sal_uLong SwWW8ImplReader::CoreLoad(WW8Glossary *pGloss) UpdateFields(); + m_xWFlyPara.reset(); + m_xSFlyPara.reset(); + // delete the pam before the call for hide all redlines (Bug 73683) if (m_bNewDoc) m_rDoc.getIDocumentRedlineAccess().SetRedlineFlags(eMode); commit 88574730c6feac2f9b4a4334fb1f3c4224eab135 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 15 10:27:22 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:33 2019 +0200 ofz#9908 validate no negative editengine selection positions Change-Id: I37dace2051518224c55756362facd3edba4a9571 Reviewed-on: https://gerrit.libreoffice.org/59059 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit ca3038a05188084b012dd3c799494f30bc5c47ef) diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx index eb60b863daaa..4cf1964ace4a 100644 --- a/sw/source/filter/ww8/ww8graf.cxx +++ b/sw/source/filter/ww8/ww8graf.cxx @@ -563,7 +563,9 @@ namespace bool IsValidSel(const EditEngine& rEngine, const ESelection& rSel) { const auto nParaCount = rEngine.GetParagraphCount(); - return rSel.nStartPara < nParaCount && rSel.nEndPara < nParaCount; + if (rSel.nStartPara < nParaCount && rSel.nEndPara < nParaCount) + return rSel.nStartPos >= 0 && rSel.nEndPos >= 0; + return false; } } commit e5df0d8414e977936a5d91de2444ab6f16d940d1 Author: Caolán McNamara <[email protected]> AuthorDate: Sat Dec 30 13:57:38 2017 +0000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:27 2019 +0200 ofz#4837 Null-dereference READ Change-Id: I7e4cb934aeac32fa1170beb116e4600b5eb9389a Reviewed-on: https://gerrit.libreoffice.org/47197 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 9f8dd17b1e6ab5d5d07b61e0f85edea233f03d71) diff --git a/sw/source/filter/ww8/ww8graf.cxx b/sw/source/filter/ww8/ww8graf.cxx index 2664cdb3971e..eb60b863daaa 100644 --- a/sw/source/filter/ww8/ww8graf.cxx +++ b/sw/source/filter/ww8/ww8graf.cxx @@ -558,6 +558,15 @@ public: } }; +namespace +{ + bool IsValidSel(const EditEngine& rEngine, const ESelection& rSel) + { + const auto nParaCount = rEngine.GetParagraphCount(); + return rSel.nStartPara < nParaCount && rSel.nEndPara < nParaCount; + } +} + // InsertAttrsAsDrawingAttrs() sets attributes between StartCp and EndCp. // Style attributes are set as hard, paragraph and character attributes. void SwWW8ImplReader::InsertAttrsAsDrawingAttrs(long nStartCp, long nEndCp, @@ -732,6 +741,8 @@ void SwWW8ImplReader::InsertAttrsAsDrawingAttrs(long nStartCp, long nEndCp, { ESelection aSel(GetESelection(*m_pDrawEditEngine, aIter->GetStartPos()-nStartCp, aIter->GetEndPos()-nStartCp)); + if (!IsValidSel(*m_pDrawEditEngine, aSel)) + continue; OUString aString(m_pDrawEditEngine->GetText(aSel)); const sal_Int32 nOrigLen = aString.getLength(); long nDummy(0); commit 757869900fc4c8ddc2b5e93e525acafcbae7875d Author: Michael Stahl <[email protected]> AuthorDate: Thu Jul 18 14:07:06 2019 +0200 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:21 2019 +0200 sw: fix use after free on tdf117215-1.odt Move the fix from 6d0ea082889c89eb8b408779f2de08da7441ff54 to SwFlyFrame::DestroyImpl() so we unregister every SwFlyFrame. ==1550==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000383f56 at pc 0x7efcd70d5ab9 bp 0x7ffeb7ac7c40 sp 0x7ffeb7ac7c38 WRITE of size 1 at 0x615000383f56 thread T0 0 SwAnchoredObject::SetTmpConsiderWrapInfluence(bool) sw/source/core/layout/anchoredobject.cxx:743:32 1 SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() sw/source/core/layout/objstmpconsiderwrapinfl.cxx:53:23 2 SwLayouter::ClearObjsTmpConsiderWrapInfluence(SwDoc const&) sw/source/core/layout/layouter.cxx:387:84 3 sw::DocumentLayoutManager::ClearSwLayouterEntries() sw/source/core/doc/DocumentLayoutManager.cxx:497:5 4 sw::DocumentStateManager::SetModified() sw/source/core/doc/DocumentStateManager.cxx:45:39 5 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3942:36 0x615000383f56 is located 342 bytes inside of 504-byte region [0x615000383e00,0x615000383ff8) freed by thread T0 here: 1 SwFlyAtContentFrame::~SwFlyAtContentFrame() sw/source/core/inc/flyfrms.hxx:159:7 2 SwFrame::DestroyFrame(SwFrame*) sw/source/core/layout/ssfrm.cxx:389:9 3 SwFrameFormat::DelFrames() sw/source/core/layout/atrfrm.cxx:2624:17 4 SwUndoFlyBase::DelFly(SwDoc*) sw/source/core/undo/undobj1.cxx:161:19 5 SwUndoDelLayFormat::SwUndoDelLayFormat(SwFrameFormat*) sw/source/core/undo/undobj1.cxx:403:5 6 SwHistoryTextFlyCnt::SwHistoryTextFlyCnt(SwFrameFormat*) sw/source/core/undo/rolbck.cxx:538:20 7 SwHistory::Add(SwFlyFrameFormat&, unsigned short&) sw/source/core/undo/rolbck.cxx:1083:50 8 SwUndoSaveContent::DelContentIndex(SwPosition const&, SwPosition const&, DelContentType) sw/source/core/undo/undobj.cxx:1020:39 9 SwUndoDelete::SwUndoDelete(SwPaM&, bool, bool) sw/source/core/undo/undel.cxx:229:9 11 sw::DocumentContentOperationsManager::DeleteRangeImplImpl(SwPaM&) sw/source/core/doc/DocumentContentOperationsManager.cxx:3939:55 Change-Id: Ia0c28c9d5792615cbb566e502374efd0f4056daf Reviewed-on: https://gerrit.libreoffice.org/75857 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit dea72ef111ee8a0b1b178f8cd48757514d5ca831) Reviewed-on: https://gerrit.libreoffice.org/75941 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 4b9324b93dcbd72c8c8949309d45790dd8f7d5fd) diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx index 2b7b5724fb62..210687972af6 100644 --- a/sw/source/core/layout/fly.cxx +++ b/sw/source/core/layout/fly.cxx @@ -255,6 +255,8 @@ void SwFlyFrame::DestroyImpl() if( GetFormat() && !GetFormat()->GetDoc()->IsInDtor() ) { + ClearTmpConsiderWrapInfluence(); // remove this from SwLayouter + // OD 2004-01-19 #110582# Unchain(); diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx index 43950850b471..d40ae945026b 100644 --- a/sw/source/core/layout/ssfrm.cxx +++ b/sw/source/core/layout/ssfrm.cxx @@ -472,7 +472,6 @@ void SwLayoutFrame::DestroyImpl() const size_t nCnt = pFrame->GetDrawObjs()->size(); // #i28701# SwAnchoredObject* pAnchoredObj = (*pFrame->GetDrawObjs())[0]; - pAnchoredObj->ClearTmpConsiderWrapInfluence(); if (SwFlyFrame* pFlyFrame = dynamic_cast<SwFlyFrame*>(pAnchoredObj)) { SwFrame::DestroyFrame(pFlyFrame); @@ -480,6 +479,7 @@ void SwLayoutFrame::DestroyImpl() } else { + pAnchoredObj->ClearTmpConsiderWrapInfluence(); SdrObject* pSdrObj = pAnchoredObj->DrawObj(); SwDrawContact* pContact = static_cast<SwDrawContact*>(pSdrObj->GetUserCall()); commit be52ca491023bf5b0d403df0f6ace04b3ff732e7 Author: Caolán McNamara <[email protected]> AuthorDate: Thu Aug 9 12:32:01 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:14 2019 +0200 forcepoint73 deleted SwAnchoredObject still referenced in TmpConsiderWrapInfl Reviewed-on: https://gerrit.libreoffice.org/58760 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 6d0ea082889c89eb8b408779f2de08da7441ff54) Reviewed-on: https://gerrit.libreoffice.org/58768 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit de765158b372d5f7bbb1b37c7d6be695ab6104ac) Change-Id: If255723834d049865fcf6fd0eac7768dfcbad2a1 diff --git a/sw/inc/anchoredobject.hxx b/sw/inc/anchoredobject.hxx index a91b530425bc..b51960439b3c 100644 --- a/sw/inc/anchoredobject.hxx +++ b/sw/inc/anchoredobject.hxx @@ -467,6 +467,7 @@ class SW_DLLPUBLIC SwAnchoredObject // accessors to member <mbTmpConsiderWrapInfluence> void SetTmpConsiderWrapInfluence( const bool _bTmpConsiderWrapInfluence ); bool IsTmpConsiderWrapInfluence() const { return mbTmpConsiderWrapInfluence;} + void ClearTmpConsiderWrapInfluence(); /** method to determine, if the anchored object is overlapping with a previous column diff --git a/sw/source/core/inc/layouter.hxx b/sw/source/core/inc/layouter.hxx index 862aafef5da5..d67b44a1faff 100644 --- a/sw/source/core/inc/layouter.hxx +++ b/sw/source/core/inc/layouter.hxx @@ -127,6 +127,10 @@ public: static void InsertObjForTmpConsiderWrapInfluence( const SwDoc& _rDoc, SwAnchoredObject& _rAnchoredObj ); + static void RemoveObjForTmpConsiderWrapInfluence( + const SwDoc& _rDoc, + SwAnchoredObject& _rAnchoredObj ); + // --> #i65250# static bool MoveBwdSuppressed( const SwDoc& p_rDoc, const SwFlowFrame& p_rFlowFrame, diff --git a/sw/source/core/layout/anchoredobject.cxx b/sw/source/core/layout/anchoredobject.cxx index 34e251c220ec..00bd40948c51 100644 --- a/sw/source/core/layout/anchoredobject.cxx +++ b/sw/source/core/layout/anchoredobject.cxx @@ -749,7 +749,14 @@ void SwAnchoredObject::SetTmpConsiderWrapInfluence( const bool _bTmpConsiderWrap } } - +void SwAnchoredObject::ClearTmpConsiderWrapInfluence() +{ + mbTmpConsiderWrapInfluence = false; + mbClearedEnvironment = false; + SetClearedEnvironment( false ); + SwLayouter::RemoveObjForTmpConsiderWrapInfluence( *(GetFrameFormat().GetDoc()), + *this ); +} void SwAnchoredObject::SetTmpConsiderWrapInfluenceOfOtherObjs() { const SwSortedObjs* pObjs = GetAnchorFrame()->GetDrawObjs(); diff --git a/sw/source/core/layout/layouter.cxx b/sw/source/core/layout/layouter.cxx index 2b27fe267f87..b97f3bda0eed 100644 --- a/sw/source/core/layout/layouter.cxx +++ b/sw/source/core/layout/layouter.cxx @@ -402,6 +402,7 @@ void SwLayouter::ClearObjsTmpConsiderWrapInfluence( const SwDoc& _rDoc ) _rDoc.getIDocumentLayoutAccess().GetLayouter()->mpObjsTmpConsiderWrapInfl->Clear(); } } + void SwLayouter::InsertObjForTmpConsiderWrapInfluence( const SwDoc& _rDoc, SwAnchoredObject& _rAnchoredObj ) @@ -420,6 +421,20 @@ void SwLayouter::InsertObjForTmpConsiderWrapInfluence( _rDoc.getIDocumentLayoutAccess().GetLayouter()->mpObjsTmpConsiderWrapInfl->Insert( _rAnchoredObj ); } +void SwLayouter::RemoveObjForTmpConsiderWrapInfluence( + const SwDoc& _rDoc, + SwAnchoredObject& _rAnchoredObj ) +{ + if ( !_rDoc.getIDocumentLayoutAccess().GetLayouter() ) + return; + + if ( !_rDoc.getIDocumentLayoutAccess().GetLayouter()->mpObjsTmpConsiderWrapInfl ) + return; + + _rDoc.getIDocumentLayoutAccess().GetLayouter()->mpObjsTmpConsiderWrapInfl->Remove( _rAnchoredObj ); +} + + void LOOPING_LOUIE_LIGHT( bool bCondition, const SwTextFrame& rTextFrame ) { if ( bCondition ) diff --git a/sw/source/core/layout/objstmpconsiderwrapinfl.cxx b/sw/source/core/layout/objstmpconsiderwrapinfl.cxx index 214fe5693e3b..83d1a183c3c4 100644 --- a/sw/source/core/layout/objstmpconsiderwrapinfl.cxx +++ b/sw/source/core/layout/objstmpconsiderwrapinfl.cxx @@ -31,23 +31,18 @@ SwObjsMarkedAsTmpConsiderWrapInfluence::~SwObjsMarkedAsTmpConsiderWrapInfluence( void SwObjsMarkedAsTmpConsiderWrapInfluence::Insert( SwAnchoredObject& _rAnchoredObj ) { + auto it = std::find(maObjsTmpConsiderWrapInfl.begin(), maObjsTmpConsiderWrapInfl.end(), &_rAnchoredObj); + if (it != maObjsTmpConsiderWrapInfl.end()) + return; + maObjsTmpConsiderWrapInfl.push_back( &_rAnchoredObj ); +} - bool bAlreadyInserted( false ); - std::vector< SwAnchoredObject* >::const_iterator aIter = maObjsTmpConsiderWrapInfl.begin(); - for ( ; aIter != maObjsTmpConsiderWrapInfl.end(); ++aIter ) - { - const SwAnchoredObject* pAnchoredObj = *(aIter); - if ( pAnchoredObj == &_rAnchoredObj ) - { - bAlreadyInserted = true; - break; - } - } - - if ( !bAlreadyInserted ) - { - maObjsTmpConsiderWrapInfl.push_back( &_rAnchoredObj ); - } +void SwObjsMarkedAsTmpConsiderWrapInfluence::Remove( SwAnchoredObject& _rAnchoredObj ) +{ + auto it = std::find(maObjsTmpConsiderWrapInfl.begin(), maObjsTmpConsiderWrapInfl.end(), &_rAnchoredObj); + if (it == maObjsTmpConsiderWrapInfl.end()) + return; + maObjsTmpConsiderWrapInfl.erase(it); } void SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() diff --git a/sw/source/core/layout/objstmpconsiderwrapinfl.hxx b/sw/source/core/layout/objstmpconsiderwrapinfl.hxx index fcf495e72a50..28b6acf9de1c 100644 --- a/sw/source/core/layout/objstmpconsiderwrapinfl.hxx +++ b/sw/source/core/layout/objstmpconsiderwrapinfl.hxx @@ -33,6 +33,7 @@ class SwObjsMarkedAsTmpConsiderWrapInfluence ~SwObjsMarkedAsTmpConsiderWrapInfluence(); void Insert( SwAnchoredObject& _rAnchoredObj ); + void Remove( SwAnchoredObject& _rAnchoredObj ); void Clear(); }; diff --git a/sw/source/core/layout/ssfrm.cxx b/sw/source/core/layout/ssfrm.cxx index 1898c05a2d29..43950850b471 100644 --- a/sw/source/core/layout/ssfrm.cxx +++ b/sw/source/core/layout/ssfrm.cxx @@ -472,9 +472,10 @@ void SwLayoutFrame::DestroyImpl() const size_t nCnt = pFrame->GetDrawObjs()->size(); // #i28701# SwAnchoredObject* pAnchoredObj = (*pFrame->GetDrawObjs())[0]; - if ( dynamic_cast< const SwFlyFrame *>( pAnchoredObj ) != nullptr ) + pAnchoredObj->ClearTmpConsiderWrapInfluence(); + if (SwFlyFrame* pFlyFrame = dynamic_cast<SwFlyFrame*>(pAnchoredObj)) { - SwFrame::DestroyFrame(static_cast<SwFlyFrame*>(pAnchoredObj)); + SwFrame::DestroyFrame(pFlyFrame); assert(!pFrame->GetDrawObjs() || nCnt > pFrame->GetDrawObjs()->size()); } else commit 25b1afa3d012910bf29ba043726f6fb53b630c83 Author: Caolán McNamara <[email protected]> AuthorDate: Mon Mar 25 12:06:20 2019 +0000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:08 2019 +0200 Resolves: tdf#124142 don't deref nullptr Change-Id: Ie14600e9f9a1e1c4e99c7a872f5d677453481888 Reviewed-on: https://gerrit.libreoffice.org/69666 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit ac7ce7a64ef903bad1476f5635a7b2a1e951a7a3) Reviewed-on: https://gerrit.libreoffice.org/69694 Reviewed-by: Xisco Faulí <[email protected]> (cherry picked from commit cdef6e5f4053adf5413781a9282285eab3923373) diff --git a/sw/source/core/unocore/unostyle.cxx b/sw/source/core/unocore/unostyle.cxx index db6fc57152c3..4896abbaf98e 100644 --- a/sw/source/core/unocore/unostyle.cxx +++ b/sw/source/core/unocore/unostyle.cxx @@ -194,7 +194,8 @@ namespace sw , m_pBasePool(pDocShell->GetStyleSheetPool()) , m_pDocShell(pDocShell) { - StartListening(*m_pBasePool); + if (m_pBasePool) //tdf#124142 html docs can have no styles + StartListening(*m_pBasePool); } virtual ~XStyleFamily() override {}; commit c7f2bb7b9de2c44021bc56ec6253f32cfbee1798 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Feb 6 12:09:27 2019 +0000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:17:02 2019 +0200 fix assert seen on opening attachment from tdf#123163 I imagine it should have been seqPos-(idPos+2) seems to be like this since the initial commit of commit 091fe76b6329b4bb974987554369cbfadd8f2401 Date: Tue Jun 30 12:55:18 2015 +0300 tdf#87348 implement mso-next-textbox vml-style textbox chaining import Change-Id: Ic2f527ede2102c01c8589d58d8c705d59b0a6ffe Reviewed-on: https://gerrit.libreoffice.org/67454 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 45510866fedac63014a3120a1130dbea9fd803ee) diff --git a/oox/source/vml/vmlshape.cxx b/oox/source/vml/vmlshape.cxx index 27730de50ccf..10ee65fb1345 100644 --- a/oox/source/vml/vmlshape.cxx +++ b/oox/source/vml/vmlshape.cxx @@ -350,7 +350,8 @@ Reference< XShape > ShapeBase::convertAndInsert( const Reference< XShapes >& rxS sal_Int32 seqPos = sLinkChainName.indexOf("_s",idPos); if (idPos < seqPos) { - id = sLinkChainName.copy(idPos+2,seqPos-idPos+2).toInt32(); + auto idPosEnd = idPos+2; + id = sLinkChainName.copy(idPosEnd, seqPos - idPosEnd).toInt32(); seq = sLinkChainName.copy(seqPos+2).toInt32(); } } commit c4e3b75718a9953e4f22736d553ba279efd45b7f Author: Caolán McNamara <[email protected]> AuthorDate: Sat Aug 4 15:30:46 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:15:44 2019 +0200 crashtesting: bubble surface creation failure notification upwards e.g. on converting moz858095-2.svg to odg Change-Id: I1a222f1745cff9c4cb225f6c0c216072fb17b4f7 Reviewed-on: https://gerrit.libreoffice.org/58587 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit dbf34be458a2b5723084d1ed99390b744cee6053) diff --git a/vcl/headless/svpgdi.cxx b/vcl/headless/svpgdi.cxx index 61d9f0a0e07e..00a40aa465ab 100644 --- a/vcl/headless/svpgdi.cxx +++ b/vcl/headless/svpgdi.cxx @@ -1323,6 +1323,11 @@ SalBitmap* SvpSalGraphics::getBitmap( long nX, long nY, long nWidth, long nHeigh } cairo_surface_t* target = SvpSalGraphics::createCairoSurface(pBitmap->GetBuffer()); + if (!target) + { + SAL_WARN("vcl.gdi", "SvpSalGraphics::getBitmap, cannot create cairo surface"); + return nullptr; + } cairo_t* cr = cairo_create(target); SalTwoRect aTR(nX, nY, nWidth, nHeight, 0, 0, nWidth, nHeight); commit 88469d51b693b8ad6a08c165510c394c9f697333 Author: Caolán McNamara <[email protected]> AuthorDate: Tue Jun 5 21:37:00 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:15:37 2019 +0200 tdf#121005 forcepoint#44 merge into isDeleteForbidden Reviewed-on: https://gerrit.libreoffice.org/55355 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit c6222fb6b8b429fa2e767c73ad616147f95ab1b9) Change-Id: If7ce44786975c5f9bdc9e64d16274728b03bed32 Reviewed-on: https://gerrit.libreoffice.org/62629 Tested-by: Jenkins Reviewed-by: Miklos Vajna <[email protected]> (cherry picked from commit ba4861a0dfdf97448925130995d69b4c516f0644) diff --git a/sw/qa/core/data/ww8/fail/forcepoint-44.doc b/sw/qa/core/data/ww8/fail/forcepoint-44.doc new file mode 100644 index 000000000000..100422a2249c Binary files /dev/null and b/sw/qa/core/data/ww8/fail/forcepoint-44.doc differ diff --git a/sw/source/core/layout/pagechg.cxx b/sw/source/core/layout/pagechg.cxx index 541116f0bfe2..3fc1558411d2 100644 --- a/sw/source/core/layout/pagechg.cxx +++ b/sw/source/core/layout/pagechg.cxx @@ -1185,6 +1185,8 @@ namespace { bool isDeleteForbidden(const SwPageFrame *pDel) { + if (pDel->IsDeleteForbidden()) + return true; const SwLayoutFrame* pBody = pDel->FindBodyCont(); const SwFrame* pBodyContent = pBody ? pBody->Lower() : nullptr; return pBodyContent && pBodyContent->IsDeleteForbidden(); @@ -1212,8 +1214,6 @@ namespace !pSibling->FindFirstBodyContent() && (!pRefPage || !isDeleteForbidden(pSibling)) ) { - if (pSibling->IsDeleteForbidden()) - throw uno::RuntimeException("bad layout"); pRoot->RemovePage( pRefSibling, SwRemoveResult::Next ) ; return false; } commit 5d392d293e062614d5d97972fea0481fab26d6f3 Author: Caolán McNamara <[email protected]> AuthorDate: Mon Apr 16 16:45:14 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:15:29 2019 +0200 forcepoint#39 bad layout reproducible with ./instdir/program/soffice.bin --headless --convert-to pdf sw/qa/core/data/ww8/pass/forcepoint-layout-1.doc Change-Id: I93bd8a75196ddb2a1a242752bb1e06164bf7148e Reviewed-on: https://gerrit.libreoffice.org/53002 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 2a957e408530cd16526d793c87f0e6fd4bed1548) diff --git a/sw/qa/core/data/ww8/pass/forcepoint-layout-1.doc b/sw/qa/core/data/ww8/pass/forcepoint-layout-1.doc new file mode 100755 index 000000000000..37801a9b14e2 Binary files /dev/null and b/sw/qa/core/data/ww8/pass/forcepoint-layout-1.doc differ diff --git a/sw/source/core/layout/fly.cxx b/sw/source/core/layout/fly.cxx index 066055a1f264..2b7b5724fb62 100644 --- a/sw/source/core/layout/fly.cxx +++ b/sw/source/core/layout/fly.cxx @@ -1449,6 +1449,7 @@ void CalcContent( SwLayoutFrame *pLay, bool bNoColl ) } { + SwFrameDeleteGuard aDeletePageGuard(pSect->FindPageFrame()); SwFrameDeleteGuard aDeleteGuard(pSect); pFrame->Calc(pRenderContext); } diff --git a/sw/source/core/layout/pagechg.cxx b/sw/source/core/layout/pagechg.cxx index 9debe9f81bbb..541116f0bfe2 100644 --- a/sw/source/core/layout/pagechg.cxx +++ b/sw/source/core/layout/pagechg.cxx @@ -1212,6 +1212,8 @@ namespace !pSibling->FindFirstBodyContent() && (!pRefPage || !isDeleteForbidden(pSibling)) ) { + if (pSibling->IsDeleteForbidden()) + throw uno::RuntimeException("bad layout"); pRoot->RemovePage( pRefSibling, SwRemoveResult::Next ) ; return false; } commit 3844f7a329c715179dc21983deecc41ca4883961 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Oct 10 09:42:36 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:15:23 2019 +0200 ofz#10879 stay inside sSecStr bounds Change-Id: I0ca70cdb9b80305c5339668d65d2c4c9977e7160 Reviewed-on: https://gerrit.libreoffice.org/61605 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit b3b52643983ec28838eeeed9f841b0918dc745be) diff --git a/svl/source/numbers/zformat.cxx b/svl/source/numbers/zformat.cxx index 85533c5e23f4..c86910a13f93 100644 --- a/svl/source/numbers/zformat.cxx +++ b/svl/source/numbers/zformat.cxx @@ -3088,7 +3088,7 @@ bool SvNumberformat::ImpGetTimeOutput(double fNumber, (rInfo.nTypeArray[i-1] == NF_SYMBOLTYPE_STRING || rInfo.nTypeArray[i-1] == NF_SYMBOLTYPE_TIME100SECSEP) ? nCntPost : rInfo.sStrArray[i].getLength() ); - for (sal_Int32 j = 0; j < nLen && nSecPos < nCntPost; j++) + for (sal_Int32 j = 0; j < nLen && nSecPos < nCntPost && nSecPos < sSecStr.getLength(); ++j) { sBuff.append(sSecStr[nSecPos]); nSecPos++; @@ -3881,7 +3881,7 @@ bool SvNumberformat::ImpGetDateTimeOutput(double fNumber, (rInfo.nTypeArray[i-1] == NF_SYMBOLTYPE_STRING || rInfo.nTypeArray[i-1] == NF_SYMBOLTYPE_TIME100SECSEP) ? nCntPost : rInfo.sStrArray[i].getLength() ); - for (sal_Int32 j = 0; j < nLen && nSecPos < nCntPost; j++) + for (sal_Int32 j = 0; j < nLen && nSecPos < nCntPost && nSecPos < sSecStr.getLength(); ++j) { sBuff.append(sSecStr[ nSecPos ]); nSecPos++; commit 02cfcff41bbaa2516f4763a8925a70cb6878a97b Author: Caolán McNamara <[email protected]> AuthorDate: Mon Sep 17 09:01:59 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:14:51 2019 +0200 ofz#10395 Null-dereference Reviewed-on: https://gerrit.libreoffice.org/60559 Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> (cherry picked from commit 07b3bfb125fae70e0ab796a929a4f2abe4937912) Reviewed-on: https://gerrit.libreoffice.org/60564 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit fde33870d6989efeb59355aad1209a7f50e7ecf6) Change-Id: I7bde5987a51949d60174335327652186e0ad8998 diff --git a/oox/source/shape/WpsContext.cxx b/oox/source/shape/WpsContext.cxx index 5fbea5fb225b..b8916bea9175 100644 --- a/oox/source/shape/WpsContext.cxx +++ b/oox/source/shape/WpsContext.cxx @@ -178,11 +178,14 @@ oox::core::ContextHandlerRef WpsContext::onCreateContext(sal_Int32 nElementToken if (rAttribs.hasAttribute(XML_prst)) { uno::Reference<beans::XPropertySet> xPropertySet(mxShape, uno::UNO_QUERY); - oox::OptValue<OUString> presetShapeName = rAttribs.getString(XML_prst); - const OUString& preset = presetShapeName.get(); - comphelper::SequenceAsHashMap aCustomShapeGeometry(xPropertySet->getPropertyValue("CustomShapeGeometry")); - aCustomShapeGeometry["PresetTextWarp"] = uno::makeAny(preset); - xPropertySet->setPropertyValue("CustomShapeGeometry", uno::makeAny(aCustomShapeGeometry.getAsConstPropertyValueList())); + if (xPropertySet.is()) + { + oox::OptValue<OUString> presetShapeName = rAttribs.getString(XML_prst); + const OUString& preset = presetShapeName.get(); + comphelper::SequenceAsHashMap aCustomShapeGeometry(xPropertySet->getPropertyValue("CustomShapeGeometry")); + aCustomShapeGeometry["PresetTextWarp"] <<= preset; + xPropertySet->setPropertyValue("CustomShapeGeometry", uno::makeAny(aCustomShapeGeometry.getAsConstPropertyValueList())); + } } break; case XML_txbx: commit 049297f3e3e0d6b52eff81c489effc70e34be704 Author: Caolán McNamara <[email protected]> AuthorDate: Sat Aug 25 19:08:35 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:12:51 2019 +0200 ofz#10056 Null deref Change-Id: I9ea0f272d0a8b13fb51fec55ac57adca47cafc77 Reviewed-on: https://gerrit.libreoffice.org/59601 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 48c677d55330ac6caf0065fa1776c985b876eead) diff --git a/writerfilter/source/ooxml/OOXMLStreamImpl.cxx b/writerfilter/source/ooxml/OOXMLStreamImpl.cxx index 3d3a6a0b268e..3398c216093f 100644 --- a/writerfilter/source/ooxml/OOXMLStreamImpl.cxx +++ b/writerfilter/source/ooxml/OOXMLStreamImpl.cxx @@ -319,12 +319,20 @@ bool OOXMLStreamImpl::lcl_getTarget(const uno::Reference<embed::XRelationshipAcc // simple string concatination here to handle that. uno::Reference<uri::XUriReference> xPart = xFac->parse(sMyTarget); uno::Reference<uri::XUriReference> xAbs = xFac->makeAbsolute(xBase, xPart, true, uri::RelativeUriExcessParentSegments_RETAIN); - rDocumentTarget = xAbs->getPath(); - // path will start with the fragment separator. need to - // remove that - rDocumentTarget = rDocumentTarget.copy( 1 ); - if(sStreamType == sEmbeddingsType) - embeddingsTarget = rDocumentTarget; + if (!xAbs) + { + //it was invalid gibberish + bFound = false; + } + else + { + rDocumentTarget = xAbs->getPath(); + // path will start with the fragment separator. need to + // remove that + rDocumentTarget = rDocumentTarget.copy( 1 ); + if(sStreamType == sEmbeddingsType) + embeddingsTarget = rDocumentTarget; + } } break; commit 05c6f17ea79a535fa5f43ba23ecd730138f1c5c5 Author: Caolán McNamara <[email protected]> AuthorDate: Fri Aug 24 15:01:23 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:12:44 2019 +0200 ofz#10045 Null deref Change-Id: If9c8edd94b02240510325d6c9c0fc7584ba89b5f Reviewed-on: https://gerrit.libreoffice.org/59574 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit fabac301a2c431a51bcae435e7ad87c843331877) diff --git a/writerfilter/source/dmapper/DomainMapperTableHandler.cxx b/writerfilter/source/dmapper/DomainMapperTableHandler.cxx index a872ecb16c6a..8973a44b1d12 100644 --- a/writerfilter/source/dmapper/DomainMapperTableHandler.cxx +++ b/writerfilter/source/dmapper/DomainMapperTableHandler.cxx @@ -1033,8 +1033,11 @@ void DomainMapperTableHandler::endTable(unsigned int nestedTableLevel, bool bTab { xStart = m_aTableRanges[0][0][0]; uno::Sequence< uno::Sequence< uno::Reference<text::XTextRange> > >& rLastRow = m_aTableRanges[m_aTableRanges.size() - 1]; - uno::Sequence< uno::Reference<text::XTextRange> >& rLastCell = rLastRow[rLastRow.getLength() - 1]; - xEnd = rLastCell[1]; + if (rLastRow.getLength()) + { + uno::Sequence< uno::Reference<text::XTextRange> >& rLastCell = rLastRow[rLastRow.getLength() - 1]; + xEnd = rLastCell[1]; + } } uno::Reference<text::XTextTable> xTable; try commit 592a409e2d1f45e02f5a7e95df965edbcc7966ca Author: Caolán McNamara <[email protected]> AuthorDate: Tue Aug 14 15:22:58 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:12:38 2019 +0200 tdf#117086 crash on deleted SwFootnoteBossFrame use SwFrameDeleteGuard to lock pOldBoss to exist over the range its directly accessed Change-Id: I68af80114a380f68b86cbc78278fb9e5e87cccce Reviewed-on: https://gerrit.libreoffice.org/59113 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit d1b9cbe749fc3329bda1e8ddaee6d8a6f783ad82) diff --git a/sw/source/core/layout/flowfrm.cxx b/sw/source/core/layout/flowfrm.cxx index 14a6ad91eac9..8d286bd00668 100644 --- a/sw/source/core/layout/flowfrm.cxx +++ b/sw/source/core/layout/flowfrm.cxx @@ -1858,6 +1858,8 @@ bool SwFlowFrame::MoveFwd( bool bMakePage, bool bPageBreak, bool bMoveAlways ) } } + std::unique_ptr<SwFrameDeleteGuard> xDeleteGuard(bMakePage ? new SwFrameDeleteGuard(pOldBoss) : nullptr); + bool bSamePage = true; SwLayoutFrame *pNewUpper = m_rThis.GetLeaf( bMakePage ? MAKEPAGE_INSERT : MAKEPAGE_NONE, true ); @@ -1896,6 +1898,8 @@ bool SwFlowFrame::MoveFwd( bool bMakePage, bool bPageBreak, bool bMoveAlways ) pOldBoss = pOldBoss->FindFootnoteBossFrame( true ); SwPageFrame* pNewPage = pOldPage; + xDeleteGuard.reset(); + // First, we move the footnotes. bool bFootnoteMoved = false; commit 5a62f5dff60ed56d2c0ad72ded5bdfe59bb9a72c Author: Caolán McNamara <[email protected]> AuthorDate: Fri Aug 17 08:47:19 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:12:30 2019 +0200 ofz#9934 null deref Change-Id: I6833ad8a556b561a37e468da8845914cabfac4c5 Reviewed-on: https://gerrit.libreoffice.org/59249 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 4fb7390956a193e00c1b599129b89933c41f98ae) diff --git a/sw/qa/core/data/ooxml/fail/ofz9934-1.docx b/sw/qa/core/data/ooxml/fail/ofz9934-1.docx new file mode 100644 index 000000000000..b97afaee8d3f Binary files /dev/null and b/sw/qa/core/data/ooxml/fail/ofz9934-1.docx differ diff --git a/writerfilter/source/dmapper/DomainMapper_Impl.cxx b/writerfilter/source/dmapper/DomainMapper_Impl.cxx index 59c4659639c9..80667d52d8be 100644 --- a/writerfilter/source/dmapper/DomainMapper_Impl.cxx +++ b/writerfilter/source/dmapper/DomainMapper_Impl.cxx @@ -1468,8 +1468,9 @@ void DomainMapper_Impl::appendOLE( const OUString& rStreamName, const OLEHandler if (!m_aAnchoredStack.empty()) m_aAnchoredStack.top( ).bToRemove = true; RemoveLastParagraph(); - m_aTextAppendStack.pop(); - + SAL_WARN_IF(m_aTextAppendStack.empty(), "writerfilter.dmapper", "no text stack"); + if (!m_aTextAppendStack.empty()) + m_aTextAppendStack.pop(); appendTextContent( xOLE, uno::Sequence< beans::PropertyValue >() ); commit 4a9108938b63e03e682859300da8afb63dd48321 Author: Caolán McNamara <[email protected]> AuthorDate: Thu Aug 16 14:24:46 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:12:14 2019 +0200 tdf#119224 start and end are expected to exist for the scope of this function Reviewed-on: https://gerrit.libreoffice.org/59179 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 81818670fe90fca438dfb0c22903474745112cfe) Change-Id: I771bce68a2ac923af6a7d54646a2c59ce6f10f7e diff --git a/sw/source/core/layout/trvlfrm.cxx b/sw/source/core/layout/trvlfrm.cxx index e4b93bf0ef80..99f7b9ececb5 100644 --- a/sw/source/core/layout/trvlfrm.cxx +++ b/sw/source/core/layout/trvlfrm.cxx @@ -2001,13 +2001,15 @@ void SwRootFrame::CalcFrameRects(SwShellCursor &rCursor) //First obtain the ContentFrames for the start and the end - those are needed //anyway. - SwContentFrame const* pStartFrame = pStartPos->nNode.GetNode(). + SwContentFrame* pStartFrame = pStartPos->nNode.GetNode(). GetContentNode()->getLayoutFrame( this, &rCursor.GetSttPos(), pStartPos ); - SwContentFrame const* pEndFrame = pEndPos->nNode.GetNode(). + SwContentFrame* pEndFrame = pEndPos->nNode.GetNode(). GetContentNode()->getLayoutFrame( this, &rCursor.GetEndPos(), pEndPos ); - OSL_ENSURE( (pStartFrame && pEndFrame), "Keine ContentFrames gefunden." ); + assert(pStartFrame && pEndFrame && "No ContentFrames found."); + //tdf#119224 start and end are expected to exist for the scope of this function + SwFrameDeleteGuard aStartFrameGuard(pStartFrame), aEndFrameGuard(pEndFrame); //Do not subtract the FlyFrames in which selected Frames lie. SwSortedObjs aSortObjs; commit 0cf6c96be521afb08fee284740a92b4255bacd4e Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 15 09:16:54 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:10:53 2019 +0200 ofz#9892 Null-dereference Change-Id: I8ab1948e5760da365bdddaf45955912a18b20ead Reviewed-on: https://gerrit.libreoffice.org/59056 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit a0aea0b22a5ceb31b69407be6b74506194d44134) diff --git a/oox/source/drawingml/shapecontext.cxx b/oox/source/drawingml/shapecontext.cxx index 404656b54e66..462518790e4c 100644 --- a/oox/source/drawingml/shapecontext.cxx +++ b/oox/source/drawingml/shapecontext.cxx @@ -100,7 +100,9 @@ ContextHandlerRef ShapeContext::onCreateContext( sal_Int32 aElementToken, const } case XML_txXfrm: { - mpShapePtr->getTextBody()->getTextProperties().moRotation = rAttribs.getInteger( XML_rot ); + const TextBodyPtr& rShapePtr = mpShapePtr->getTextBody(); + if (rShapePtr) + rShapePtr->getTextProperties().moRotation = rAttribs.getInteger( XML_rot ); return nullptr; } case XML_cNvSpPr: commit 7167ca3d26266a9ac78bda64cd374ed7cd038e58 Author: Caolán McNamara <[email protected]> AuthorDate: Mon Aug 13 09:20:19 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:10:42 2019 +0200 crashtesting: empty B2DRange range turned into oversized Rectangle with document ooo47086-1.xls Reviewed-on: https://gerrit.libreoffice.org/58921 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit eabb2bf06aba0de81a6d1e7715859fa63379325b) Change-Id: Ia43b6b3e3951875280892138c7068348f1b56a7c diff --git a/svx/source/svdraw/svdopath.cxx b/svx/source/svdraw/svdopath.cxx index 8742e9b961ce..ddd8a57dd3b2 100644 --- a/svx/source/svdraw/svdopath.cxx +++ b/svx/source/svdraw/svdopath.cxx @@ -1698,6 +1698,9 @@ static Rectangle lcl_ImpGetBoundRect(const basegfx::B2DPolyPolygon& rPolyPolygon { basegfx::B2DRange aRange(basegfx::tools::getRange(rPolyPolygon)); + if (aRange.isEmpty()) + return Rectangle(); + return Rectangle( FRound(aRange.getMinX()), FRound(aRange.getMinY()), FRound(aRange.getMaxX()), FRound(aRange.getMaxY())); commit d1107111405021ff1c3ce97e2d35533188536b26 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 08:55:23 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:09:50 2019 +0200 forcepoint#55 invalid iterator increment Change-Id: I151602f645a48404d93e0ae64a9e1d2a6ba2bc4b Reviewed-on: https://gerrit.libreoffice.org/58386 Tested-by: Jenkins Reviewed-by: Markus Mohrhard <[email protected]> (cherry picked from commit 26300f5d4c4e6241baf8cadcfea094e7969814a5) diff --git a/sc/source/core/data/column3.cxx b/sc/source/core/data/column3.cxx index 75123a3765cf..37007239ed3a 100644 --- a/sc/source/core/data/column3.cxx +++ b/sc/source/core/data/column3.cxx @@ -3063,6 +3063,8 @@ public: if (xCurGrp) { // Move to the cell after the last cell of the current group. + if (xCurGrp->mnLength > std::distance(it, itEnd)) + throw css::lang::IllegalArgumentException(); std::advance(it, xCurGrp->mnLength); nRow += xCurGrp->mnLength; } commit c016121ecf407188c38f08e937dde3f95a19d897 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 09:18:16 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:09:26 2019 +0200 forcepoint#57 sanity check stream signature size Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac Reviewed-on: https://gerrit.libreoffice.org/58448 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7) diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx index 36a6117c29a0..58934286b59c 100644 --- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx +++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx @@ -378,21 +378,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1) bCache = false; - if (bCache) + if (!bCache) + continue; + // Store the contents of the stream as is, in case we need to write it back later. + xInputStream.clear(); + xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); + uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); + if (!xPropertySet.is()) + continue; + + sal_Int64 nSize = 0; + xPropertySet->getPropertyValue("Size") >>= nSize; + if (nSize < 0 || nSize > SAL_MAX_INT32) { - // Store the contents of the stream as is, in case we need to write it back later. - xInputStream.clear(); - xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); - uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); - if (xPropertySet.is()) - { - sal_Int64 nSize = 0; - xPropertySet->getPropertyValue("Size") >>= nSize; - uno::Sequence<sal_Int8> aData; - xInputStream->readBytes(aData, nSize); - mpXSecController->setSignatureBytes(aData); - } + SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize); + continue; } + uno::Sequence<sal_Int8> aData; + xInputStream->readBytes(aData, nSize); + mpXSecController->setSignatureBytes(aData); } } } commit d22d3c7a8b93fb5b8af1d47bebad3ff927b41c14 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 11:48:30 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:09:17 2019 +0200 forcepoint#64 null deref Change-Id: I4acf03a7911aa203fc4ef10b6a96b0135d6adbbc Reviewed-on: https://gerrit.libreoffice.org/58415 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit a5b84a6888deaa406786b350a0adcf9ef9020f48) diff --git a/sc/source/filter/xml/XMLTableShapeImportHelper.cxx b/sc/source/filter/xml/XMLTableShapeImportHelper.cxx index 83751e0a7eb6..cb6c8ceaf4bf 100644 --- a/sc/source/filter/xml/XMLTableShapeImportHelper.cxx +++ b/sc/source/filter/xml/XMLTableShapeImportHelper.cxx @@ -197,7 +197,7 @@ void XMLTableShapeImportHelper::finishShape( // the group Point aStartPoint( rShape->getPosition().X,rShape->getPosition().Y ); uno::Reference< drawing::XShape > xChild( rShapes, uno::UNO_QUERY ); - if (SvxShape* pGroupShapeImp = SvxShape::getImplementation( lcl_getTopLevelParent( xChild ) )) + if (SvxShape* pGroupShapeImp = xChild.is() ? SvxShape::getImplementation(lcl_getTopLevelParent(xChild)) : nullptr) { if (SdrObject *pSdrObj = pGroupShapeImp->GetSdrObject()) { commit 0715aad2ef2a7a0905cbcbb9278ccf904ed7e3b6 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 11:36:01 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:09:10 2019 +0200 forcepoint#63 null deref Change-Id: Ib22ff870cd0d8cdd2350b2aa8698f5a2e3866bdc Reviewed-on: https://gerrit.libreoffice.org/58411 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 9a0e5aeca5a118e748e625f6ecbd49a497b8e232) diff --git a/filter/source/xsltfilter/OleHandler.cxx b/filter/source/xsltfilter/OleHandler.cxx index 2f2bd04f9eef..057b69ada620 100644 --- a/filter/source/xsltfilter/OleHandler.cxx +++ b/filter/source/xsltfilter/OleHandler.cxx @@ -97,7 +97,7 @@ namespace XSLT OString SAL_CALL OleHandler::encodeSubStorage(const OUString& streamName) { - if (!m_storage->hasByName(streamName)) + if (!m_storage || !m_storage->hasByName(streamName)) { return "Not Found:";// + streamName; } commit fc3f1d01108125829332830f765f0950ad35dad8 Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 11:31:21 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:09:04 2019 +0200 forcepoint#62 null deref Change-Id: I255aeb96c3763aa106128d3463e4fd55395ef8b8 Reviewed-on: https://gerrit.libreoffice.org/58409 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 9e434f2f5ad61092ee685369bce93d90a28db149) diff --git a/writerfilter/source/dmapper/DomainMapper_Impl.cxx b/writerfilter/source/dmapper/DomainMapper_Impl.cxx index b9ff4c2946e8..59c4659639c9 100644 --- a/writerfilter/source/dmapper/DomainMapper_Impl.cxx +++ b/writerfilter/source/dmapper/DomainMapper_Impl.cxx @@ -4616,7 +4616,7 @@ void DomainMapper_Impl::PopFieldContext() else { FormControlHelper::Pointer_t pFormControlHelper(pContext->getFormControlHelper()); - if (pFormControlHelper.get() != nullptr && pFormControlHelper->hasFFDataHandler() ) + if (pFormControlHelper.get() != nullptr && pFormControlHelper->hasFFDataHandler() && xCrsr.is()) { uno::Reference< text::XFormField > xFormField( pContext->GetFormField() ); xToInsert.set(xFormField, uno::UNO_QUERY); @@ -4632,7 +4632,7 @@ void DomainMapper_Impl::PopFieldContext() pFormControlHelper->insertControl(xTxtRange); } } - else if(!pContext->GetHyperlinkURL().isEmpty()) + else if (!pContext->GetHyperlinkURL().isEmpty() && xCrsr.is()) { xCrsr->gotoEnd( true ); commit d5f30b138a2d33eecddeef0bcb2803d09c1df84a Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 10:19:52 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:08:58 2019 +0200 forcepoint#58 null deref Change-Id: I826890ec85a16bc05fc1e4cd068079b0f8734d07 Reviewed-on: https://gerrit.libreoffice.org/58394 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 8cee73aae9bca3a94aa7a0aa3bfa82b593d4c3c7) diff --git a/writerfilter/source/rtftok/rtfsdrimport.cxx b/writerfilter/source/rtftok/rtfsdrimport.cxx index 9668b473fea0..02916c9d526c 100644 --- a/writerfilter/source/rtftok/rtfsdrimport.cxx +++ b/writerfilter/source/rtftok/rtfsdrimport.cxx @@ -1073,6 +1073,8 @@ void RTFSdrImport::append(const OUString& aKey, const OUString& aValue) void RTFSdrImport::appendGroupProperty(const OUString& aKey, const OUString& aValue) { + if (m_aParents.empty()) + return; uno::Reference<drawing::XShape> xShape(m_aParents.top(), uno::UNO_QUERY); if (xShape.is()) applyProperty(xShape, aKey, aValue); commit e63e300ac42faa7df52cf2bc7b62226be6b8e1ee Author: Caolán McNamara <[email protected]> AuthorDate: Wed Aug 1 09:04:58 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:08:51 2019 +0200 forcepoint#56 null deref Change-Id: Iaa9c4d6901a340145412fa46eaf5c292c3fb62e8 Reviewed-on: https://gerrit.libreoffice.org/58387 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 0845c1a74aef650b4aebaeea9587b3bfb5b38ffb) diff --git a/writerfilter/source/dmapper/DomainMapper_Impl.cxx b/writerfilter/source/dmapper/DomainMapper_Impl.cxx index 02b954e0922c..b9ff4c2946e8 100644 --- a/writerfilter/source/dmapper/DomainMapper_Impl.cxx +++ b/writerfilter/source/dmapper/DomainMapper_Impl.cxx @@ -2730,15 +2730,17 @@ void DomainMapper_Impl::PushFieldContext() TagLogger::getInstance().element("pushFieldContext"); #endif - uno::Reference< text::XTextAppend > xTextAppend; + uno::Reference<text::XTextCursor> xCrsr; if (!m_aTextAppendStack.empty()) - xTextAppend = m_aTextAppendStack.top().xTextAppend; - uno::Reference< text::XTextRange > xStart; - if (xTextAppend.is()) { - uno::Reference< text::XTextCursor > xCrsr = xTextAppend->createTextCursorByRange( xTextAppend->getEnd() ); - xStart = xCrsr->getStart(); + uno::Reference<text::XTextAppend> xTextAppend = m_aTextAppendStack.top().xTextAppend; + if (xTextAppend.is()) + xCrsr = xTextAppend->createTextCursorByRange(xTextAppend->getEnd()); } + + uno::Reference< text::XTextRange > xStart; + if (xCrsr.is()) + xStart = xCrsr->getStart(); m_aFieldStack.push( std::make_shared<FieldContext>( xStart ) ); } /*------------------------------------------------------------------------- commit e673fc6319ed4962d096d170b8ca875c9170228f Author: Caolán McNamara <[email protected]> AuthorDate: Tue Jun 12 12:14:36 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 12:00:54 2019 +0200 forcepoint#45 object may not be a EMFPPen Change-Id: Ifb5c17e13faf6e9d246e1668ef7916957a5296b6 Reviewed-on: https://gerrit.libreoffice.org/55679 Tested-by: Jenkins Reviewed-by: Eike Rathke <[email protected]> (cherry picked from commit d5db9b8a8f99bed76c9a3e195a28049d677610a9) diff --git a/cppcanvas/source/mtfrenderer/emfplus.cxx b/cppcanvas/source/mtfrenderer/emfplus.cxx index 2ffe02e8b815..3c4819527dfc 100644 --- a/cppcanvas/source/mtfrenderer/emfplus.cxx +++ b/cppcanvas/source/mtfrenderer/emfplus.cxx @@ -1608,7 +1608,7 @@ namespace cppcanvas void ImplRenderer::EMFPPlusDrawPolygon (const ::basegfx::B2DPolyPolygon& polygon, const ActionFactoryParameters& rParms, OutDevState& rState, const CanvasSharedPtr& rCanvas, sal_uInt32 penIndex) { - EMFPPen* pen = static_cast<EMFPPen*>( aObjects [penIndex & 0xff] ); + EMFPPen* pen = dynamic_cast<EMFPPen*>( aObjects [penIndex & 0xff] ); SAL_WARN_IF( !pen, "cppcanvas.emf", "emf+ missing pen" ); commit 9d9d991f7dc578856acd90891e0a142985b33273 Author: Caolán McNamara <[email protected]> AuthorDate: Mon May 14 16:50:30 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 11:59:05 2019 +0200 ofz#7322 lcl_MarkEqualByStart sort logic differs from that of operator== when it encounters a SwPosition with a SwIndex nContent whose m_pIndexReg is null and compares to one whose m_pIndexReg is not null, where both have an m_nIndex of 0. operator== considers them different, while lcl_MarkEqualByStart doesn't care and sorts them as equal Change-Id: I29920b98c9e6f395487de1b9cafa6b1282b2b1b6 Reviewed-on: https://gerrit.libreoffice.org/54342 Tested-by: Jenkins <[email protected]> Reviewed-by: Miklos Vajna <[email protected]> (cherry picked from commit b3aece104b886618552828c168a1b51b3290f38f) diff --git a/sw/qa/core/data/ww8/indeterminate/ofz7322-1.doc b/sw/qa/core/data/ww8/indeterminate/ofz7322-1.doc new file mode 100644 index 000000000000..5f4858849acf Binary files /dev/null and b/sw/qa/core/data/ww8/indeterminate/ofz7322-1.doc differ diff --git a/sw/source/core/doc/docbm.cxx b/sw/source/core/doc/docbm.cxx index 99eec9fe1e37..50aafd09c6a7 100644 --- a/sw/source/core/doc/docbm.cxx +++ b/sw/source/core/doc/docbm.cxx @@ -224,6 +224,13 @@ namespace return false; } + bool lcl_MarkEqualByStart(const IDocumentMarkAccess::pMark_t& rpFirst, + const IDocumentMarkAccess::pMark_t& rpSecond) + { + return !lcl_MarkOrderingByStart(rpFirst, rpSecond) && + !lcl_MarkOrderingByStart(rpSecond, rpFirst); + } + IDocumentMarkAccess::iterator_t lcl_FindMark( IDocumentMarkAccess::container_t& rMarks, const IDocumentMarkAccess::pMark_t& rpMarkToFind) @@ -234,7 +241,7 @@ namespace // since there are usually not too many marks on the same start // position, we are not doing a bisect search for the upper bound // but instead start to iterate from pMarkLow directly - while(ppCurrentMark != rMarks.end() && **ppCurrentMark == *rpMarkToFind) + while (ppCurrentMark != rMarks.end() && lcl_MarkEqualByStart(*ppCurrentMark, rpMarkToFind)) { if(ppCurrentMark->get() == rpMarkToFind.get()) { commit 081a7bfe8cd01bb229b567fec22aafd6e2fcba22 Author: Caolán McNamara <[email protected]> AuthorDate: Fri May 11 09:27:49 2018 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 11:58:58 2019 +0200 Related: ofz#8226 + valgrind: uninitialized value Change-Id: I63dea876dffe2d9e17b506dbd8515da2d97fbf08 Reviewed-on: https://gerrit.libreoffice.org/54114 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins <[email protected]> (cherry picked from commit 0ec74577a97ca51d50e0f3782c289c95c6430641) diff --git a/starmath/source/mathtype.cxx b/starmath/source/mathtype.cxx index 1e107158b9df..74d7b44fd807 100644 --- a/starmath/source/mathtype.cxx +++ b/starmath/source/mathtype.cxx @@ -2842,7 +2842,7 @@ void MathType::HandleSetSize() bool MathType::HandleChar(sal_Int32 &rTextStart, int &rSetSize, int nLevel, sal_uInt8 nTag, sal_uInt8 nSelector, sal_uInt8 nVariation, bool bSilent) { - sal_Unicode nChar; + sal_Unicode nChar(0); bool bRet = true; if (xfAUTO(nTag)) @@ -2855,7 +2855,7 @@ bool MathType::HandleChar(sal_Int32 &rTextStart, int &rSetSize, int nLevel, pS->ReadUChar( nTypeFace ); if (nVersion < 3) { - sal_uInt8 nChar8; + sal_uInt8 nChar8(0); pS->ReadUChar( nChar8 ); nChar = nChar8; } commit 6579c170fae4e64f3dcc2faad38a61e39f387b95 Author: Caolán McNamara <[email protected]> AuthorDate: Mon Mar 12 14:13:23 2018 +0000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 11:56:58 2019 +0200 forcepoint #27 check region bands loaded from stream for consistency Reviewed-on: https://gerrit.libreoffice.org/51145 Tested-by: Jenkins <[email protected]> Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 2a63eb8ba642b58814f8a78ba65a2c537aa97cdf) Change-Id: I92376b5fb4208c78fa25a94d4dd394256793161c diff --git a/vcl/inc/regionband.hxx b/vcl/inc/regionband.hxx index 91a13ebffcbf..11a19314a2f5 100644 --- a/vcl/inc/regionband.hxx +++ b/vcl/inc/regionband.hxx @@ -36,6 +36,7 @@ private: ImplRegionBand* mpLastCheckedBand; void implReset(); + SAL_WARN_UNUSED_RESULT bool CheckConsistency() const; public: RegionBand(); @@ -46,7 +47,7 @@ public: bool operator==( const RegionBand& rRegionBand ) const; - void load(SvStream& rIStrm); + SAL_WARN_UNUSED_RESULT bool load(SvStream& rIStrm); void save(SvStream& rIStrm) const; bool isSingleRectangle() const; diff --git a/vcl/source/gdi/region.cxx b/vcl/source/gdi/region.cxx index e9f5c424f643..aad2bfd3ec24 100644 --- a/vcl/source/gdi/region.cxx +++ b/vcl/source/gdi/region.cxx @@ -1593,7 +1593,7 @@ SvStream& ReadRegion(SvStream& rIStrm, vcl::Region& rRegion) default: { RegionBand* pNewRegionBand = new RegionBand(); - pNewRegionBand->load(rIStrm); + bool bSuccess = pNewRegionBand->load(rIStrm); rRegion.mpRegionBand.reset(pNewRegionBand); if(aCompat.GetVersion() >= 2) @@ -1610,6 +1610,12 @@ SvStream& ReadRegion(SvStream& rIStrm, vcl::Region& rRegion) } } + if (!bSuccess) + { + SAL_WARN("vcl.gdi", "bad region band"); + rRegion.SetNull(); + } + break; } } diff --git a/vcl/source/gdi/regionband.cxx b/vcl/source/gdi/regionband.cxx index 911c1dddf17d..692a77c623c9 100644 --- a/vcl/source/gdi/regionband.cxx +++ b/vcl/source/gdi/regionband.cxx @@ -190,7 +190,7 @@ bool RegionBand::operator==( const RegionBand& rRegionBand ) const enum StreamEntryType { STREAMENTRY_BANDHEADER, STREAMENTRY_SEPARATION, STREAMENTRY_END }; -void RegionBand::load(SvStream& rIStrm) +bool RegionBand::load(SvStream& rIStrm) { // clear this instance data implReset(); @@ -203,14 +203,14 @@ void RegionBand::load(SvStream& rIStrm) rIStrm.ReadUInt16(nTmp16); if (STREAMENTRY_END == (StreamEntryType)nTmp16) - return; + return false; size_t nRecordsPossible = rIStrm.remainingSize() / (2*sizeof(sal_Int32)); if (!nRecordsPossible) { OSL_ENSURE(false, "premature end of region stream" ); implReset(); - return; + return false; } do @@ -259,13 +259,19 @@ void RegionBand::load(SvStream& rIStrm) { OSL_ENSURE(false, "premature end of region stream" ); implReset(); - return; + return false; } // get next header rIStrm.ReadUInt16( nTmp16 ); } while (STREAMENTRY_END != (StreamEntryType)nTmp16 && rIStrm.good()); + if (!CheckConsistency()) + { + implReset(); + return false; + } + return true; } void RegionBand::save(SvStream& rOStrm) const @@ -1155,6 +1161,19 @@ bool RegionBand::Exclude(const RegionBand& rSource) return true; } +bool RegionBand::CheckConsistency() const +{ + // look in the band list (don't test first band again!) + const ImplRegionBand* pBand = mpFirstBand->mpNextBand; + while (pBand) + { + if (!pBand->mpFirstSep) + return false; + pBand = pBand->mpNextBand; + } + return true; +} + Rectangle RegionBand::GetBoundRect() const { commit 6979f785763708c4149f09a8410a988ec07974ba Author: Caolán McNamara <[email protected]> AuthorDate: Thu Mar 8 21:25:28 2018 +0000 Commit: Andras Timar <[email protected]> CommitDate: Thu Aug 22 11:56:03 2019 +0200 forcepoint #21 pop on empty stack Thanks to Antti Levomäki and Christian Jalio from Forcepoint. Reviewed-on: https://gerrit.libreoffice.org/51115 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins <[email protected]> (cherry picked from commit 3686a3fc1b2eaee53b1ab32f33455b2b37aa8c6e) Change-Id: I25b1c6361fb0a3ae6b01f2be870c9e1b49bf5b84 diff --git a/sw/qa/core/data/rtf/fail/forcepoint-4.rtf b/sw/qa/core/data/rtf/fail/forcepoint-4.rtf new file mode 100755 index 000000000000..ccd04d451b10 --- /dev/null +++ b/sw/qa/core/data/rtf/fail/forcepoint-4.rtf @@ -0,0 +1,1779 @@ +{\rtf1\ansi \deff4\deflang1033{\fonttbl{\f0\froman\fcharset0\fprq2 Tms Rmn;}{\f1\froman\fcharset2\fprq2 Symbol;}{\f2\fswiss\fcharset0\fprq2 Helv{\*\falt Arial};}{\f3\fmodern\fcharset0\fprq1 Courier;} +{\f4\froman\fcharset0\fprq2 Times New Roman;}{\f5\fswiss\fcharset0\fprq2 Arial;}{\f6\froman\fcharset0\fprq2 MS Serif;}{\f7\fswiss\fcharset0\fprq2 MS Sans Serif;}{\f8\froman\fcharset0\fprq2 Times;}{\f9\fswiss\fcharset0\fprq2 Helvetica;} +{\f10\fswiss\fcharset0\fprq2 System;}{\f11\fmodern\fcharset0\fprq1 Courier New;}{\f12\froman\fcharset0\fprq2 New York;}{\f13\fswiss\fcharset0\fprq2 Geneva;}{\f14\fnil\fcharset2\fprq2 Marlett;}{\f15\fnil\fcharset2\fprq2 Wingdings;} +{\f16\fswiss\fcharset0\fprq2 Arial Narrow;}{\f17\fswiss\fcharset0\fprq2 Arial Black;}{\f18\froman\fcharset0\fprq2 Book Antiqua;}{\f19\froman\fcharset0\fprq2 Bookman Old Style;}{\f20\froman\fcharset0\fprq2 Century Schoolbook;} +{\f21\fnil\fcharset2\fprq2 Monotype Sorts;}{\f22\fswiss\fcharset0\fprq2 Haettenschweiler;}{\f23\froman\fcharset0\fprq2 Garamond;}{\f24\fmodern\fcharset2\fprq1 MS LineDraw;}{\f25\fswiss\fcharset0\fprq2 Helvetica-Narrow;} +{\f26\froman\fcharset255\fprq2 Roman;}{\f27\fscript\fcharset255\fprq2 Script;}{\f28\fmodern\fcharset255\fprq2 Modern;}{\f29\fswiss\fcharset0\fprq1 MS Dialog;}{\f30\froman\fcharset0\fprq2 Bookman{\*\falt Bookman Old Style};} +{\f31\fnil\fcharset0\fprq0 Times New Roman Monotype{\*\falt Times New Roman};}{\f32\fnil\fcharset0\fprq0 Stone Sans{\*\falt Times New Roman};}{\f33\froman\fcharset0\fprq2 Palatino;}{\f34\fnil\fcharset0\fprq0 Arial Monotype;}}{\colortbl;\red0\green0\blue0; +\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128; +\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\widctlpar \f4\fs20 \snext0 Normal;}{\s1\sb240\sa60\keepn\widctlpar{\*\pn \pnlvl1\pndec\pnprev1\pnstart1\pnsp144 {\pntxta .}}\b\f5\fs28\kerning28 +\sbasedon0\snext0 heading 1,H1;}{\s2\sb380\sa160\sl-320\slmult0\keepn\nowidctlpar\tqr\tx432\tx864{\*\pn \pnlvl2\pndec\pnprev1\pnstart1\pnsp144 }\b\f9\fs28\cf1 \sbasedon15\snext0 heading 2,H2;}{\s3\sb280\sa140\sl-280\slmult0 +\keepn\nowidctlpar\tqr\tx432\tx864{\*\pn \pnlvl3\pndec\pnprev1\pnstart1\pnsp144 {\pntxtb .}}\b\f9\cf1\kerning28 \sbasedon2\snext16 heading 3,H3;}{\s4\sb120\sa80\keep\keepn\widctlpar{\*\pn \pnlvl4\pndec\pnprev1\pnstart1\pnsp144 {\pntxtb .}} +\b\i\f9\fs20\kerning28 \sbasedon0\snext16 heading 4,H4;}{\s5\sb240\sa60\widctlpar{\*\pn \pnlvl5\pndec\pnprev1\pnstart1\pnsp144 {\pntxtb .}}\f5\fs22 \sbasedon0\snext0 heading 5,H5;}{\s6\sb240\sa60\widctlpar{\*\pn \pnlvl6\pndec\pnprev1\pnstart1\pnsp144 +{\pntxtb .}}\i\f5\fs22 \sbasedon0\snext0 heading 6,H6;}{\s7\sb240\sa60\widctlpar{\*\pn \pnlvl7\pndec\pnprev1\pnstart1\pnsp144 {\pntxtb .}}\f5\fs20 \sbasedon0\snext0 heading 7;}{\s8\sb240\sa60\widctlpar{\*\pn \pnlvl8\pndec\pnprev1\pnstart1\pnsp144 +{\pntxtb .}}\i\f5\fs20 \sbasedon0\snext0 heading 8;}{\s9\sb240\sa60\widctlpar{\*\pn \pnlvl9\pndec\pnprev1\pnstart1\pnsp144 {\pntxtb .}}\i\f5\fs18 \sbasedon0\snext0 heading 9;}{\*\cs10 \additive Default Paragraph Font;}{\s15\li864\sb100\sl-260\slmult0 +\nowidctlpar \f8\fs20\cf1 \snext15 T1.Text1;}{\s16\sa120\widctlpar \f4\fs20 \sbasedon0\snext16 Body Text;}{\s17\fi-288\li1655\sb100\sa100\sl-260\slmult0\keepn\nowidctlpar\tx1655 \f8\fs20\cf1 \snext17 A.A+List;}{ +\s18\fi-288\li1655\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1655\tx1958 \f8\fs20\cf1 \snext18 A.AList;}{\s19\li1655\sb100\sa100\sl-260\slmult0\keepn\nowidctlpar\tx1655 \f31\fs20\cf1 \snext19 A.AList_nonum;}{\s20\qc\nowidctlpar \f8\fs4\cf1 \snext20 +anchorhldr;}{\s21\fi-792\li2015\sb100\sa100\sl-260\slmult0\nowidctlpar\tx2015 \f8\fs20\cf1 \snext21 b1.Bul_list;}{\s22\fi-289\li1224\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1224\tldot\tx3685 \f8\fs20\cf1 \snext22 b1.Bullet1;}{ +\s23\fi-289\li1584\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1584\tldot\tx3685 \f8\fs20\cf1 \snext23 b2.Bullet2;}{\s24\li864\sb100\sa140\sl-380\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\fs36\cf1 \snext24 chptr_title;}{\s25\li1224\sb100\sl-200\slmult0 +\nowidctlpar\tx1440\tx1800\tx2160\tx2520\tx2880\tx3240\tx3600\tx3960\tx4320\tx4680\tx5040\tx5400\tx5760\tx6120\tx6480\tx6840\tx7200\tx7560\tx7920\tx8280\tx8640 \f3\fs16\cf1 \snext25 Code;}{\s26\fi-1008\li1007\sb100\sl-200\slmult0\nowidctlpar\tx1007 +\f3\fs18\cf1 \snext26 EN.EdNote;}{\s27\fi-1008\li1871\sb120\sa100\sl-200\slmult0\nowidctlpar\brdrb\brdrs\brdrw15 \tx1871 \f9\fs18\cf1 \snext27 Fg.Figure;}{\s28\fi-288\li1007\sa60\sl-180\slmult0\nowidctlpar\brdrt\brdrs\brdrw15 \tx1007 \f8\fs16\cf1 +\snext28 FN.Footnote;}{\s29\widctlpar\tqc\tx4320\tqr\tx8640 \f4\fs20 \sbasedon0\snext29 footer;}{\s30\fi-288\li1152\ri1152\sa60\sl200\slmult0\nowidctlpar\tx1152 \f8\fs16\cf1 \snext30 Footnote;}{\s31\li1295\sb100\sa100\sl-260\slmult0\nowidctlpar +\f8\fs20\cf1 \snext31 glosry_nxt;}{\s32\fi-432\li1295\sb100\sa100\sl-260\slmult0\nowidctlpar \f8\fs20\cf1 \snext32 glossary;}{\s33\sb120\sa120\sl-220\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\fs20\cf1 \snext33 H1.Heading1;}{ +\s34\fi-865\li864\sb380\sa160\sl-320\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\fs28\cf1 \snext34 H2.Heading2;}{\s35\fi-865\li864\sb280\sa140\sl-280\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\cf1 \snext35 H3.Heading3;}{ +\s36\fi-865\li864\sb320\sa160\sl-320\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\fs28\cf1 \snext36 H3.Heading3_top;}{\s37\fi-865\li864\sb240\sa160\sl-200\slmult0\keepn\nowidctlpar\tqr\tx432\tx864\tqr\tx8567 \b\f9\fs20\cf1 \snext37 H4.Heading4;}{ +\s38\li864\sb160\sa100\sl-180\slmult0\keepn\nowidctlpar\tqr\tx432\tx864 \b\f9\fs18\cf1 \snext38 H5.Heading5;}{\s39\li1440\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1224\tldot\tx3685 \f8\fs20\cf1 \snext39 indent1;}{\s40\li864\sb100\sl-260\slmult0 +\nowidctlpar\brdrt\brdrs\brdrw15 \f8\fs20\cf1 \snext40 IR.Impl_Rec;}{\s41\fi-289\li1224\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1224 \f8\fs20\cf1 \snext41 N.NList;}{\s42\li1224\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1440 \f31\fs20\cf1 \snext42 +N.NList_nonum;}{\s43\fi-289\li1224\sb100\sa100\sl-260\slmult0\nowidctlpar\tx1224 \f8\fs20\cf1 \snext43 N/.NList=1;}{\s44\li576\sb120\sa200\sl-479\slmult0\keepn\nowidctlpar\tx576 \f31\fs43\cf1 \snext44 PrT.PrfcTitle;}{ +\s45\fi-288\li1152\ri1152\sa80\sl-200\slmult0\nowidctlpar\tx1152\tx1871 \f8\fs16\cf1 \snext45 TableFootnote;}{\s46\fi-1008\li1871\sb200\sa200\sl-200\slmult0\nowidctlpar\tx1871 \f9\fs18\cf1 \snext46 Tb.Table;}{\s47\qc\sb120\sl-180\slmult0 +\keepn\nowidctlpar \b\f9\fs16\cf1 \snext47 TbH.TblHdctr;}{\s48\sb140\sl-200\slmult0\keepn\nowidctlpar \b\f9\fs18\cf1 \snext48 TbH.TblHdLft;}{\s49\qr\sb140\sl-200\slmult0\keepn\nowidctlpar \b\f9\fs18\cf1 \snext49 TbH.TblHdRt;}{ +\s50\qc\sb180\sa120\sl-220\slmult0\nowidctlpar \f8\fs16\cf1 \snext50 TbT.TblTxtCtr;}{\s51\sb180\sa120\sl-220\slmult0\nowidctlpar\tx144 \f8\fs16\cf1 \snext51 TbT.TblTxtLft;}{\s52\qr\sb180\sa120\sl-220\slmult0\nowidctlpar \f8\fs16\cf1 \snext52 ... etc. - the rest is truncated _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
