From: Caolán McNamara <caolan.mcnamara@collabora.com>
Date: Fri, 8 Nov 2024 16:51:47 +0000 (+0000)
Subject: [PATCH] be conservative on allowed temp font names
X-Git-Tag: archive/raspbian/1%7.0.4-4+rpi1+deb11u12^2~6
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7db37d65d161f0c30fa24da6762e65ce1ac447f7;p=libreoffice.git

[PATCH] be conservative on allowed temp font names

Change-Id: Iefdc1a8c9b4c7e8c08c84f747f8287ac3c419839
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/176236
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit f761d098e9a0960554aa4fc02f84a711b50a1cff)

origin: https://github.com/LibreOffice/core/commit/02e3aea1b2cfa3c686aab10721f9a89ecc382732
bug: https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425
bug-gerrit: https://gerrit.libreoffice.org/c/core/+/176236

Gbp-Pq: Name CVE-2024-12425.patch
---

diff --git a/vcl/source/gdi/embeddedfontshelper.cxx b/vcl/source/gdi/embeddedfontshelper.cxx
index e59f940718b..bfb1dd5181d 100644
--- a/vcl/source/gdi/embeddedfontshelper.cxx
+++ b/vcl/source/gdi/embeddedfontshelper.cxx
@@ -17,6 +17,7 @@
 #include <vcl/svapp.hxx>
 #include <vcl/embeddedfontshelper.hxx>
 #include <com/sun/star/io/XInputStream.hpp>
+#include <comphelper/storagehelper.hxx>
 
 #include <outdev.h>
 #include <PhysicalFontCollection.hxx>
@@ -188,10 +189,6 @@ void EmbeddedFontsHelper::activateFonts()
 
 OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName, const char* extra )
 {
-    OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}";
-    rtl::Bootstrap::expandMacros( path );
-    path += "/user/temp/embeddedfonts/fromdocs/";
-    osl::Directory::createPath( path );
     OUString filename = fontName;
     static int uniqueCounter = 0;
     if( strcmp( extra, "?" ) == 0 )
@@ -199,6 +196,17 @@ OUString EmbeddedFontsHelper::fileUrlForTemporaryFont( const OUString& fontName,
     else
         filename += OStringToOUString( extra, RTL_TEXTENCODING_ASCII_US );
     filename += ".ttf"; // TODO is it always ttf?
+
+    if (!::comphelper::OStorageHelper::IsValidZipEntryFileName(filename, false))
+    {
+        SAL_WARN( "vcl.fonts", "Cannot use filename: " << filename << " for temporary font");
+        filename = "font" + OUString::number(uniqueCounter++) + ".ttf";
+    }
+
+    OUString path = "${$BRAND_BASE_DIR/" LIBO_ETC_FOLDER "/" SAL_CONFIGFILE( "bootstrap") "::UserInstallation}";
+    rtl::Bootstrap::expandMacros( path );
+    path += "/user/temp/embeddedfonts/fromdocs/";
+    osl::Directory::createPath( path );
     return path + filename;
 }