Issue 127045

Summary: Enforce Polygon API contracts at run-time
Product: Impress Reporter: orcmid <orcmid>
Component: codeAssignee: orcmid <orcmid>
Status: CLOSED FIXED QA Contact:
Severity: Major    
Priority: P3 CC: pescetti
Version: 4.1.2   
Target Milestone: ---   
Hardware: All   
OS: All   
Issue Type: PATCH Latest Confirmation in: ---
Developer Difficulty: ---
Attachments:
Description Flags
Patch for guards against alteration of (default) read-only entries
none
Updated Patch for Guarding against changes to (default) read-only entries. none

Description orcmid 2016-07-17 16:59:39 UTC
Details to follow
Comment 1 orcmid 2016-07-17 17:04:17 UTC
The PolyPoly and Polygon classes in the tools library APIs that are publicly available have usage contracts and constraints that are only enforced in debugging mode.  The APIs must be defended at run-time as well, enforcing a default behavior that allows operation to continue without failure.
Comment 2 orcmid 2016-07-18 20:21:36 UTC
Created attachment 85612 [details]
Patch for guards against alteration of (default) read-only entries

The appropriate treatment of PolyPolygon slots that have not been set is to treat them as having constant empty polygons that cannot be changed.  

This patch guards against runtime attempts to remove or replace such an entry.  The attempt is gracefully ignored without failing the application.

(Debug builds will detect such attempts if it becomes important to isolate a rendering problem or source of incorrect requests of the API.)
Comment 3 orcmid 2016-07-20 04:52:59 UTC
Created attachment 85614 [details]
Updated Patch for Guarding against changes to (default) read-only entries.

Credit to Patricia Shanahan: This patch will work correctly with a working copy check-out of the Apache OpenOffice SVN trunk.
Comment 4 Andrea Pescetti 2016-09-03 21:08:00 UTC
Can we close this one? Everything is now released in source and binary form as per https://www.openoffice.org/security/cves/CVE-2016-1513.html (marking RESOLVED for the time being; feel free to close).
Comment 5 orcmid 2016-09-03 21:40:36 UTC
(In reply to Andrea Pescetti from comment #4)
> Can we close this one? Everything is now released in source and binary form
> as per https://www.openoffice.org/security/cves/CVE-2016-1513.html (marking
> RESOLVED for the time being; feel free to close).

There are remaining cases that didn't have to be fixed for CVE-2016-1513.  I need to review again and develop the complete set.
Comment 6 Andrea Pescetti 2016-09-03 22:03:14 UTC
Understood, thanks. Just to clarify the scope of the still pending developments, we do agree that https://www.openoffice.org/security/cves/CVE-2016-1513.html is addressed by the already committed patch, right?
Comment 7 Marcus 2016-10-07 10:03:10 UTC
This fix will be addressed in AOO 4.1.3 with SVN Rev. 1754535.
Comment 8 Marcus 2016-10-07 10:03:31 UTC
Fixed
Comment 9 Marcus 2016-10-07 11:15:59 UTC
Deleted the 4.1.3 blocker flag.

Actually the issue was no blocker for the 4.1.3 release as it was fixed earlier with the 4.1.2 hotfix. The SVN branch was created out of the 4.1.2 branch and therefore this fix was automatically included in the new branch.