Version in base suite: 2.0.4.dfsg.2-7etch6
Version in overlay suite: (not present)

Base version: openoffice.org_2.0.4.dfsg.2-7etch6
Target version: openoffice.org_2.0.4.dfsg.2-7etch7
Base file: /org/ftp.debian.org/ftp/pool/main/o/openoffice.org/openoffice.org_2.0.4.dfsg.2-7etch6.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/openoffice.org_2.0.4.dfsg.2-7etch7.dsc

 ooo-build/patches/src680/sw.safe_tdelete_tinsert.diff      |   94 +++++++++++++
 openoffice.org-2.0.4.dfsg.2/debian/changelog               |    8 +
 openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/apply |    1 
 3 files changed, 103 insertions(+)

diff -u openoffice.org-2.0.4.dfsg.2/debian/changelog openoffice.org-2.0.4.dfsg.2/debian/changelog
--- openoffice.org-2.0.4.dfsg.2/debian/changelog
+++ openoffice.org-2.0.4.dfsg.2/debian/changelog
@@ -1,3 +1,11 @@
+openoffice.org (2.0.4.dfsg.2-7etch7) oldstable-security; urgency=high
+
+  * patches/src680/sw.safe_tdelete_tinsert.diff: fix CVE-2009-0200
+    (OpenOffice.org Word Document sprmTDelete Integer Underflow) and
+    CVE-2009-0201 (OpenOffice.org Word Document sprmTInsert Buffer Overflow)
+
+ -- Rene Engelhard <rene@debian.org>  Wed, 20 May 2009 16:57:56 +0200
+
 openoffice.org (2.0.4.dfsg.2-7etch6) stable-security; urgency=high
 
     * patches/src680/workspace.sjfixes07.diff: fix CVE-2008-2237
diff -u openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/apply openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/apply
--- openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/apply
+++ openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/apply
@@ -1961,2 +1961,3 @@
 workspace.sjfixes09.diff
+sw.safe_tdelete_tinsert.diff
 
only in patch2:
unchanged:
--- openoffice.org-2.0.4.dfsg.2.orig/ooo-build/patches/src680/sw.safe_tdelete_tinsert.diff
+++ openoffice.org-2.0.4.dfsg.2/ooo-build/patches/src680/sw.safe_tdelete_tinsert.diff
@@ -0,0 +1,94 @@
+diff -ru sw.orig/source/filter/ww8/ww8par2.cxx sw/source/filter/ww8/ww8par2.cxx
+--- sw.orig/source/filter/ww8/ww8par2.cxx	2009-05-15 09:29:14.000000000 +0100
++++ sw/source/filter/ww8/ww8par2.cxx	2009-05-20 10:19:13.000000000 +0100
+@@ -1399,14 +1399,34 @@
+     if( nWwCols && pParamsTInsert )        // set one or more cell length(s)
+     {
+         BYTE nitcInsert = pParamsTInsert[0]; // position at which to insert
++        if (nitcInsert >= MAX_COL)  // cannot insert into cell outside max possible index
++            return;
+         BYTE nctc  = pParamsTInsert[1];      // number of cells
+         USHORT ndxaCol = SVBT16ToShort( pParamsTInsert+2 );
+ 
+         short nNewWwCols;
+         if (nitcInsert > nWwCols)
++        {
+             nNewWwCols = nitcInsert+nctc;
++            //if new count would be outside max possible count, clip it, and calc a new replacement
++            //legal nctc
++            if (nNewWwCols > MAX_COL)
++            {
++                nNewWwCols = MAX_COL;
++                nctc = nNewWwCols-nitcInsert;
++            }
++        }
+         else
++        {
+             nNewWwCols = nWwCols+nctc;
++            //if new count would be outside max possible count, clip it, and calc a new replacement
++            //legal nctc
++            if (nNewWwCols > MAX_COL)
++            {
++                nNewWwCols = MAX_COL;
++                nctc = nNewWwCols-nWwCols;
++            }
++        }
+ 
+         WW8_TCell *pTC2s = new WW8_TCell[nNewWwCols];
+         setcelldefaults(pTC2s, nNewWwCols);
+@@ -1542,25 +1562,42 @@
+     if( nWwCols && pParamsTDelete )        // set one or more cell length(s)
+     {
+         BYTE nitcFirst= pParamsTDelete[0]; // first col to be deleted
++        if (nitcFirst >= nWwCols) // first index to delete from doesn't exist
++            return;
+         BYTE nitcLim  = pParamsTDelete[1]; // (last col to be deleted)+1
++        if (nitcLim <= nitcFirst) // second index to delete to is not greater than first index
++            return;
+ 
+-        BYTE nShlCnt  = nWwCols - nitcLim; // count of cells to be shifted
++        /*
++         * sprmTDelete causes any rgdxaCenter and rgtc entries whose index is
++         * greater than or equal to itcLim to be moved
++         */
++        int nShlCnt  = nWwCols - nitcLim; // count of cells to be shifted
++
++        if (nShlCnt >= 0) //There exist entries whose index is greater than or equal to itcLim
++        {
++            WW8_TCell* pAktTC  = pTCs + nitcFirst;
++            int i = 0;
++            while( i < nShlCnt )
++            {
++                // adjust the left x-position
++                nCenter[nitcFirst + i] = nCenter[nitcLim + i];
+ 
++                // adjust the cell's borders
++                *pAktTC = pTCs[ nitcLim + i];
+ 
+-        WW8_TCell* pAktTC  = pTCs + nitcFirst;
+-        int i = 0;
+-        for( ; i < nShlCnt; i++, ++pAktTC )
+-        {
+-            // adjust the left x-position
++                ++i;
++                ++pAktTC;
++            }
++            // adjust the left x-position of the dummy at the very end
+             nCenter[nitcFirst + i] = nCenter[nitcLim + i];
+-
+-            // adjust the cell's borders
+-            *pAktTC = pTCs[ nitcLim + i];
+         }
+-        // adjust the left x-position of the dummy at the very end
+-        nCenter[nitcFirst + i] = nCenter[nitcLim + i];
+ 
+-        nWwCols -= (nitcLim - nitcFirst);
++        short nCellsDeleted = nitcLim - nitcFirst;
++        //clip delete request to available number of cells
++        if (nCellsDeleted > nWwCols)
++            nCellsDeleted = nWwCols;
++        nWwCols -= nCellsDeleted;
+     }
+ }
+ 
+