From b63b8d61c1e6cf8dcb4db89a8dca92eb80452346 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: May 17 2012 10:15:55 +0000
Subject: CVE-2012-2334


---

diff --git a/CVE-2012-2334.patch b/CVE-2012-2334.patch
new file mode 100644
index 0000000..c72e398
--- /dev/null
+++ b/CVE-2012-2334.patch
@@ -0,0 +1,130 @@
+diff -ru libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx
+--- libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx	2012-05-17 11:01:06.323446905 +0100
++++ libreoffice-3.3.4.1/filter/inc/filter/msfilter/msdffimp.hxx	2012-05-17 11:08:23.257229041 +0100
+@@ -77,9 +77,20 @@
+     FASTBOOL IsContainer() const { return nRecVer == DFF_PSFLAG_CONTAINER; }
+     ULONG    GetRecBegFilePos() const { return nFilePos; }
+     ULONG    GetRecEndFilePos() const { return nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen; }
+-    void SeekToEndOfRecord(SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen ); }
+-    void SeekToContent(    SvStream& rIn) const { rIn.Seek(nFilePos + DFF_COMMON_RECORD_HEADER_SIZE ); }
+-    void SeekToBegOfRecord(SvStream& rIn) const { rIn.Seek( nFilePos ); }
++    bool SeekToEndOfRecord(SvStream& rIn) const
++    {
++        sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE + nRecLen;
++        return nPos == rIn.Seek(nPos);
++    }
++    bool SeekToContent(SvStream& rIn) const
++    {
++        sal_Size nPos = nFilePos + DFF_COMMON_RECORD_HEADER_SIZE;
++        return nPos == rIn.Seek(nPos);
++    }
++    bool SeekToBegOfRecord(SvStream& rIn) const
++    {
++        return nFilePos == rIn.Seek(nFilePos);
++    }
+ 
+     MSFILTER_DLLPUBLIC friend SvStream& operator>>(SvStream& rIn, DffRecordHeader& rRec);
+ 
+diff -ru libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx
+--- libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx	2012-05-17 11:01:06.231445683 +0100
++++ libreoffice-3.3.4.1/filter/source/msfilter/msdffimp.cxx	2012-05-17 11:10:34.159950744 +0100
+@@ -156,6 +156,11 @@
+ static sal_uInt32 nMSOleObjCntr = 0;
+ #define MSO_OLE_Obj "MSO_OLE_Obj"
+ 
++/*************************************************************************/
++bool lclGood(const SvStream &rStream)
++{
++    return rStream.GetError() == 0 && !rStream.IsEof();
++}
+ 
+ /*************************************************************************/
+ BOOL Impl_OlePres::Read( SvStream & rStm )
+@@ -3653,7 +3658,7 @@
+                 rSt >> aEscherF002Hd;
+                 ULONG nEscherF002End = aEscherF002Hd.GetRecEndFilePos();
+                 DffRecordHeader aEscherObjListHd;
+-                while ( rSt.Tell() < nEscherF002End )
++                while (lclGood(rSt) && rSt.Tell() < nEscherF002End)
+                 {
+                     rSt >> aEscherObjListHd;
+                     if ( aEscherObjListHd.nRecVer != 0xf )
+@@ -3687,9 +3692,16 @@
+     FASTBOOL bRet = FALSE;
+     ULONG nFPosMerk = rSt.Tell(); // FilePos merken fuer ggf. spaetere Restauration
+     DffRecordHeader aHd;
++    // make sure that we move somewhere with every iteration
++    sal_Size nStPos;
+     do
+     {
++        nStPos = rSt.Tell();
+         rSt >> aHd;
++        if (!lclGood(rSt))
++            break;
++        if (aHd.nRecLen > nMaxLegalDffRecordLength)
++            break;
+         if ( aHd.nRecType == nRecId )
+         {
+             if ( nSkipCount )
+@@ -3704,9 +3716,13 @@
+             }
+         }
+         if ( !bRet )
+-            aHd.SeekToEndOfRecord( rSt );
++        {
++            bool bSeekSuccess = aHd.SeekToEndOfRecord( rSt );
++            if (!bSeekSuccess)
++                break;
++        }
+     }
+-    while ( rSt.GetError() == 0 && rSt.Tell() < nMaxFilePos && !bRet );
++    while ( lclGood(rSt) && rSt.Tell() < nMaxFilePos && rSt.Tell() != nStPos && !bRet );
+     if ( !bRet )
+         rSt.Seek( nFPosMerk );	// FilePos restaurieren
+     return bRet;
+@@ -6319,10 +6335,17 @@
+ 
+             if ( mnIdClusters-- > 2 )
+             {
+-                if ( aDggAtomHd.nRecLen == ( mnIdClusters * sizeof( FIDCL ) + 16 ) )
++                const sal_Size nFIDCLsize = sizeof(sal_uInt32) * 2;
++                if ( aDggAtomHd.nRecLen == ( mnIdClusters * nFIDCLsize + 16 ) )
+                 {
++                    sal_Size nStCtrlCurr = rStCtrl.Tell();
++                    sal_Size nStCtrlEnd = rStCtrl.Seek(STREAM_SEEK_TO_END);
++                    sal_Size nMaxEntriesPossible = ( nStCtrlEnd - nStCtrlCurr ) / nFIDCLsize;
++                    rStCtrl.Seek(nStCtrlCurr);
++                    mnIdClusters = std::min(nMaxEntriesPossible, static_cast<sal_Size>(mnIdClusters));
+                     mpFidcls = new FIDCL[ mnIdClusters ];
+-                    for ( UINT32 i = 0; i < mnIdClusters; i++ )
++                    memset(mpFidcls, 0, mnIdClusters * sizeof(FIDCL));
++                    for (sal_uInt32 i = 0; i < mnIdClusters; ++i)
+                     {
+                         rStCtrl >> mpFidcls[ i ].dgid
+                                 >> mpFidcls[ i ].cspidCur;
+@@ -7181,7 +7203,11 @@
+     rSt >> nTmp >> rFbt >> rLength;
+     rVer = sal::static_int_cast< BYTE >(nTmp & 15);
+     rInst = nTmp >> 4;
+-    return rSt.GetError() == 0;
++    if (!lclGood(rSt))
++        return false;
++    if (rLength > nMaxLegalDffRecordLength)
++        return false;
++    return true;
+ }
+ 
+ 
+diff -ru libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx
+--- libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx	2012-05-17 11:01:09.195485098 +0100
++++ libreoffice-3.3.4.1/svx/inc/svx/msdffdef.hxx	2012-05-17 11:10:15.627707282 +0100
+@@ -39,6 +39,9 @@
+ 
+ #define DFF_COMMON_RECORD_HEADER_SIZE			8
+ 
++const sal_uInt32 nMaxLegalDffRecordLength = \
++    SAL_MAX_UINT32 - DFF_COMMON_RECORD_HEADER_SIZE;
++
+ #define DFF_PSFLAG_CONTAINER 0x0F         // If the version field of a record
+                                           //  header takes on this value, the
+                                           //  record header marks the start of
diff --git a/libreoffice.spec b/libreoffice.spec
index 18044ca..d49f8ad 100644
--- a/libreoffice.spec
+++ b/libreoffice.spec
@@ -173,6 +173,7 @@ Patch81: 0001-sw-fdo-39159-fdo-40482-temp-selection-print-doc.patch
 Patch82: 0001-fix-for-fdo-39773-crash-with-hidden-column-in-Data-F.patch
 Patch83: 0001-sw-fixed-a-crasher-fdo-32575.patch
 Patch84: CVE-2012-1149.patch
+Patch85: CVE-2012-2334.patch
 
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %define instdir %{_libdir}
@@ -897,6 +898,7 @@ mv -f redhat.soc extras/source/palettes/standard.soc
 %patch82 -p1 -b .fdo39773-crash-with-hidden-column-in-Data-F.patch
 %patch83 -p1 -b .sw-fixed-a-crasher-fdo-32575.patch
 %patch84 -p1 -b .CVE-2012-1149.patch
+%patch85 -p1 -b .CVE-2012-2334.patch
 
 touch scripting/source/pyprov/delzip
 touch scripting/util/provider/beanshell/delzip
@@ -2259,7 +2261,7 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
 
 %changelog
 * Thu May 17 2012 Caolán McNamara <caolanm@redhat.com> 1:3.3.4.1-5
-- Resolves: rhbz#822216 CVE-2012-1149
+- Resolves: rhbz#822216 CVE-2012-1149, CVE-2012-2334
 
 * Tue Apr 24 2012 Caolán McNamara <caolanm@redhat.com> 1:3.3.4.1-4
 - bump n-v-r