From f0416a5215ae80822d1689f080b8eb1f675d007d Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 23 Mar 2022 16:49:03 +0000
Subject: liborcus: forcepoint#83/84/87/95
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

forcepoint#83 Invalid read of size 1

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131989
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 7cccd1f732db8d451e9036800c9947509105a60a)

forcepoint#84 Invalid read of size 1

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131991
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit d6a02a99eaa3690c0aa5c33fea3a4c710813a0de)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132315
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 59ce428e794eb4874e8be337e31a2a14aef4593a)

forcepoint#83 forcepoint#84 update to upstream fix

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132055
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 2323fa29617e4919226517d50abbb9ad33b320ca)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132412
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 3e57f46c67ae06c30ec2da2c37c602d34af24dab)

forcepoint#87 Assertion 'mp_char <= mp_end' failed

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132097
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 32019baffa19a8f79cacf93d5dd5a95c7d416657)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132413
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit efed5861b51cd54182e2c173a0fc98dee2a7742f)

Change-Id: I434928cb2425a2e8eb9440dff67f52cda241b2d9

forcepoint#95 read past end of malformed document

Change-Id: I8b2c558c733af3d7662f668af47e962e252ee339
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132311
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 0b9892fee990b7f6d0457ab6191f87c3991580e6)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132414
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 50f0dc8d49d52a9c8bc2079c69bd5feb150cd71a)
(cherry picked from commit 4cf400964b292b5102a8c110c9b8f54a487fbaaf)
---
 external/liborcus/UnpackedTarball_liborcus.mk | 16 +++++++++++
 external/liborcus/forcepoint-83.patch.1       | 38 +++++++++++++++++++++++++++
 external/liborcus/forcepoint-84.patch.1       | 38 +++++++++++++++++++++++++++
 external/liborcus/forcepoint-87.patch.1       | 27 +++++++++++++++++++
 external/liborcus/forcepoint-95.patch.1       | 11 ++++++++
 5 files changed, 130 insertions(+)
 create mode 100644 external/liborcus/forcepoint-83.patch.1
 create mode 100644 external/liborcus/forcepoint-84.patch.1
 create mode 100644 external/liborcus/forcepoint-87.patch.1
 create mode 100644 external/liborcus/forcepoint-95.patch.1

diff --git a/external/liborcus/UnpackedTarball_liborcus.mk b/external/liborcus/UnpackedTarball_liborcus.mk
index 779ec8d4fba1..e0ffb6edc340 100644
--- a/external/liborcus/UnpackedTarball_liborcus.mk
+++ b/external/liborcus/UnpackedTarball_liborcus.mk
@@ -15,12 +15,28 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,liborcus,1))
 
 $(eval $(call gb_UnpackedTarball_update_autoconf_configs,liborcus))
 
+# forcepoint-83.patch.1 merged as
+# https://gitlab.com/orcus/orcus/-/commit/9f6400b8192e39fefd475a96222713e9e9c60038
+# forcepoint-84.patch.1 merged as
+# https://gitlab.com/orcus/orcus/-/commit/223defe95d6f20f1bc5fd22fecc80a79a9519028
+# forcepoint-87.patch.1 merged as
+# https://gitlab.com/orcus/orcus/-/commit/a718524ca424fb8a7e7931345a118342d1d4a507
+# forcepoint-95.patch.1 submitted as
+# https://gitlab.com/orcus/orcus/-/merge_requests/124
+
 $(eval $(call gb_UnpackedTarball_add_patches,liborcus,\
 	external/liborcus/0001-workaround-a-linking-problem-on-windows.patch \
 	external/liborcus/rpath.patch.0 \
 	external/liborcus/include.patch.0 \
 ))
 
+$(eval $(call gb_UnpackedTarball_add_patches,liborcus,\
+	external/liborcus/forcepoint-83.patch.1 \
+	external/liborcus/forcepoint-84.patch.1 \
+	external/liborcus/forcepoint-87.patch.1 \
+	external/liborcus/forcepoint-95.patch.1 \
+))
+
 ifeq ($(OS),WNT)
 $(eval $(call gb_UnpackedTarball_add_patches,liborcus,\
 	external/liborcus/windows-constants-hack.patch \
diff --git a/external/liborcus/forcepoint-83.patch.1 b/external/liborcus/forcepoint-83.patch.1
new file mode 100644
index 000000000000..905289ffd40f
--- /dev/null
+++ b/external/liborcus/forcepoint-83.patch.1
@@ -0,0 +1,38 @@
+From 4d58816e995a562f26f3cc5006ae9ddd46b1bbed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 23 Mar 2022 16:44:00 +0000
+Subject: [PATCH] forcepoint#83 Invalid read of size 1
+
+==343916== Invalid read of size 1
+==343916==    at 0x11A7B2F0: orcus::parser_base::cur_char() const (parser_base.hpp:79)
+==343916==    by 0x11B7B112: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::element_open(long) (sax_parser.hpp:258)
+==343916==    by 0x11B7A2C7: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::element() (sax_parser.hpp:246)
+==343916==    by 0x11B7A197: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::body() (sax_parser.hpp:214)
+==343916==    by 0x11B79FD9: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::parse() (sax_parser.hpp:182)
+==343916==    by 0x11B79F8B: orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::parse() (sax_ns_parser.hpp:277)
+==343916==    by 0x11B79768: orcus::sax_token_parser<orcus::xml_stream_handler>::parse() (sax_token_parser.hpp:215)
+==343916==    by 0x11B79406: orcus::xml_stream_parser::parse() (xml_stream_parser.cpp:68)
+==343916==    by 0x11BE3805: orcus::orcus_xlsx::detect(unsigned char const*, unsigned long) (orcus_xlsx.cpp:188)
+==343916==    by 0x11AB2482: orcus::detect(unsigned char const*, unsigned long) (format_detection.cpp:60)
+==343916==    by 0x30E60945: (anonymous namespace)::OrcusFormatDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&) (filterdetect.cxx:83)
+==343916==    by 0x30E60ABE: non-virtual thunk to (anonymous namespace)::OrcusFormatDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>&) (filterdetect.cxx:0)
+---
+ include/orcus/sax_parser.hpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/orcus/sax_parser.hpp b/include/orcus/sax_parser.hpp
+index 15e8d917..2e707568 100644
+--- a/include/orcus/sax_parser.hpp
++++ b/include/orcus/sax_parser.hpp
+@@ -255,7 +255,7 @@ void sax_parser<_Handler,_Config>::element_open(std::ptrdiff_t begin_pos)
+     while (true)
+     {
+         blank();
+-        char c = cur_char();
++        char c = cur_char_checked();
+         if (c == '/')
+         {
+             // Self-closing element: <element/>
+-- 
+2.35.1
+
diff --git a/external/liborcus/forcepoint-84.patch.1 b/external/liborcus/forcepoint-84.patch.1
new file mode 100644
index 000000000000..462fc8bd972d
--- /dev/null
+++ b/external/liborcus/forcepoint-84.patch.1
@@ -0,0 +1,38 @@
+From ec469f774bb91302c4df21eff1314dfd508d37c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 23 Mar 2022 20:04:31 +0000
+Subject: [PATCH] forcepoint#84 Invalid read of size 1
+
+==356879== Invalid read of size 1
+==356879==    at 0x11EC50B0: orcus::parser_base::cur_char() const (parser_base.hpp:79)
+==356879==    by 0x11EDD736: orcus::sax::parser_base::value(std::basic_string_view<char, std::char_traits<char> >&, bool) (sax_parser_base.cpp:303)
+==356879==    by 0x11B7C3D5: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::attribute() (sax_parser.hpp:563)
+==356879==    by 0x11B7B35E: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::element_open(long) (sax_parser.hpp:292)
+==356879==    by 0x11B7A2F7: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::element() (sax_parser.hpp:246)
+==356879==    by 0x11B7A1C7: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::body() (sax_parser.hpp:214)
+==356879==    by 0x11B7A009: orcus::sax_parser<orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::handler_wrapper, orcus::sax_parser_default_config>::parse() (sax_parser.hpp:182)
+==356879==    by 0x11B79FBB: orcus::sax_ns_parser<orcus::sax_token_parser<orcus::xml_stream_handler>::handler_wrapper>::parse() (sax_ns_parser.hpp:277)
+==356879==    by 0x11B79798: orcus::sax_token_parser<orcus::xml_stream_handler>::parse() (sax_token_parser.hpp:215)
+==356879==    by 0x11B79436: orcus::xml_stream_parser::parse() (xml_stream_parser.cpp:68)
+==356879==    by 0x11BE3855: orcus::orcus_xlsx::detect(unsigned char const*, unsigned long) (orcus_xlsx.cpp:188)
+==356879==    by 0x11AB2492: orcus::detect(unsigned char const*, unsigned long) (format_detection.cpp:60)
+---
+ src/parser/sax_parser_base.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parser/sax_parser_base.cpp b/src/parser/sax_parser_base.cpp
+index 46acb81d..1cee821e 100644
+--- a/src/parser/sax_parser_base.cpp
++++ b/src/parser/sax_parser_base.cpp
+@@ -298,7 +298,7 @@ void parser_base::value_with_encoded_char(cell_buffer& buf, std::string_view& st
+ 
+ bool parser_base::value(pstring& str, bool decode)
+ {
+-    char c = cur_char();
++    char c = cur_char_checked();
+     if (c != '"' && c != '\'')
+         throw malformed_xml_error("value must be quoted", offset());
+ 
+-- 
+2.35.1
+
diff --git a/external/liborcus/forcepoint-87.patch.1 b/external/liborcus/forcepoint-87.patch.1
new file mode 100644
index 000000000000..f02a4726d8e5
--- /dev/null
+++ b/external/liborcus/forcepoint-87.patch.1
@@ -0,0 +1,27 @@
+From e4f3741197a3af6d434850d388483b523138a214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Thu, 24 Mar 2022 21:31:14 +0000
+Subject: [PATCH] forcepoint#87 Assertion `mp_char <= mp_end' failed
+
+soffice.bin: ../../include/orcus/parser_base.hpp:65: bool orcus::parser_base::has_char() const: Assertion `mp_char <= mp_end' failed.
+---
+ src/parser/sax_parser_base.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/parser/sax_parser_base.cpp b/src/parser/sax_parser_base.cpp
+index 46acb81d..cb7a9c04 100644
+--- a/src/parser/sax_parser_base.cpp
++++ b/src/parser/sax_parser_base.cpp
+@@ -293,7 +293,8 @@
+ 
+     // Skip the closing quote.
+     assert(!has_char() || cur_char() == '"');
+-    next();
++    if (has_char())
++       next();
+ }
+ 
+ bool parser_base::value(pstring& str, bool decode)
+-- 
+2.35.1
+
diff --git a/external/liborcus/forcepoint-95.patch.1 b/external/liborcus/forcepoint-95.patch.1
new file mode 100644
index 000000000000..074e29868031
--- /dev/null
+++ b/external/liborcus/forcepoint-95.patch.1
@@ -0,0 +1,11 @@
+--- a/include/orcus/sax_parser.hpp	2022-03-30 10:54:44.043568760 +0100
++++ b/include/orcus/sax_parser.hpp	2022-03-30 10:54:55.645037322 +0100
+@@ -547,7 +547,7 @@
+     os << "sax_parser::attribute: ns='" << attr.ns << "', name='" << attr.name << "'";
+ #endif
+ 
+-    char c = cur_char();
++    char c = cur_char_checked();
+     if (c != '=')
+     {
+         std::ostringstream os;
-- 
cgit