Issue 127045 - Enforce Polygon API contracts at run-time
Summary: Enforce Polygon API contracts at run-time
Status: CLOSED FIXED
Alias: None
Product: Impress
Classification: Application
Component: code (show other issues)
Version: 4.1.2
Hardware: All All
: P3 Major (vote)
Target Milestone: ---
Assignee: orcmid
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-17 16:59 UTC by orcmid
Modified: 2016-10-21 14:13 UTC (History)
1 user (show)

See Also:
Issue Type: PATCH
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments
Patch for guards against alteration of (default) read-only entries (991 bytes, patch)
2016-07-18 20:21 UTC, orcmid
no flags Details | Diff
Updated Patch for Guarding against changes to (default) read-only entries. (991 bytes, patch)
2016-07-20 04:52 UTC, orcmid
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this issue.
Description orcmid 2016-07-17 16:59:39 UTC
Details to follow
Comment 1 orcmid 2016-07-17 17:04:17 UTC
The PolyPoly and Polygon classes in the tools library APIs that are publicly available have usage contracts and constraints that are only enforced in debugging mode.  The APIs must be defended at run-time as well, enforcing a default behavior that allows operation to continue without failure.
Comment 2 orcmid 2016-07-18 20:21:36 UTC
Created attachment 85612 [details]
Patch for guards against alteration of (default) read-only entries

The appropriate treatment of PolyPolygon slots that have not been set is to treat them as having constant empty polygons that cannot be changed.  

This patch guards against runtime attempts to remove or replace such an entry.  The attempt is gracefully ignored without failing the application.

(Debug builds will detect such attempts if it becomes important to isolate a rendering problem or source of incorrect requests of the API.)
Comment 3 orcmid 2016-07-20 04:52:59 UTC
Created attachment 85614 [details]
Updated Patch for Guarding against changes to (default) read-only entries.

Credit to Patricia Shanahan: This patch will work correctly with a working copy check-out of the Apache OpenOffice SVN trunk.
Comment 4 Andrea Pescetti 2016-09-03 21:08:00 UTC
Can we close this one? Everything is now released in source and binary form as per https://www.openoffice.org/security/cves/CVE-2016-1513.html (marking RESOLVED for the time being; feel free to close).
Comment 5 orcmid 2016-09-03 21:40:36 UTC
(In reply to Andrea Pescetti from comment #4)
> Can we close this one? Everything is now released in source and binary form
> as per https://www.openoffice.org/security/cves/CVE-2016-1513.html (marking
> RESOLVED for the time being; feel free to close).

There are remaining cases that didn't have to be fixed for CVE-2016-1513.  I need to review again and develop the complete set.
Comment 6 Andrea Pescetti 2016-09-03 22:03:14 UTC
Understood, thanks. Just to clarify the scope of the still pending developments, we do agree that https://www.openoffice.org/security/cves/CVE-2016-1513.html is addressed by the already committed patch, right?
Comment 7 Marcus 2016-10-07 10:03:10 UTC
This fix will be addressed in AOO 4.1.3 with SVN Rev. 1754535.
Comment 8 Marcus 2016-10-07 10:03:31 UTC
Fixed
Comment 9 Marcus 2016-10-07 11:15:59 UTC
Deleted the 4.1.3 blocker flag.

Actually the issue was no blocker for the 4.1.3 release as it was fixed earlier with the 4.1.2 hotfix. The SVN branch was created out of the 4.1.2 branch and therefore this fix was automatically included in the new branch.