diff options
author | Caolán McNamara <caolanm@redhat.com> | 2021-03-29 11:00:51 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2021-03-29 15:02:46 +0200 |
commit | e96b6f8a8c588e9cc14bf583cf9c48e693c83751 (patch) | |
tree | dc4fb5849dab3213eeb46af6e90fe70d4f899726 /basic/source | |
parent | 9a0d2378baeeb654e81af1871b4933f3a90b27e6 (diff) |
cid#1474044 Untrusted loop bound
Change-Id: Ibb20ffc2219c25add421cd4803e80b15b131c93b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113306
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'basic/source')
-rw-r--r-- | basic/source/sbx/sbxarray.cxx | 14 | ||||
-rw-r--r-- | basic/source/sbx/sbxbase.cxx | 6 |
2 files changed, 16 insertions, 4 deletions
diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx index f531803f617a..fa2a2aa69f9a 100644 --- a/basic/source/sbx/sbxarray.cxx +++ b/basic/source/sbx/sbxarray.cxx @@ -531,8 +531,20 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar ) bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer ) { - short nDimension; + short nDimension(0); rStrm.ReadInt16( nDimension ); + + if (nDimension > 0) + { + const size_t nMinRecordSize = 4; + const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize; + if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords) + { + SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain"); + return false; + } + } + for( short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; i++ ) { sal_Int16 lb(0), ub(0); diff --git a/basic/source/sbx/sbxbase.cxx b/basic/source/sbx/sbxbase.cxx index 0e057540c8bc..b57c9bdb9008 100644 --- a/basic/source/sbx/sbxbase.cxx +++ b/basic/source/sbx/sbxbase.cxx @@ -180,8 +180,8 @@ SbxObject* SbxBase::CreateObject( const OUString& rClass ) SbxBase* SbxBase::Load( SvStream& rStrm ) { - sal_uInt16 nSbxId, nFlagsTmp, nVer; - sal_uInt32 nCreator, nSize; + sal_uInt16 nSbxId(0), nFlagsTmp(0), nVer(0); + sal_uInt32 nCreator(0), nSize(0); rStrm.ReadUInt32( nCreator ).ReadUInt16( nSbxId ).ReadUInt16( nFlagsTmp ).ReadUInt16( nVer ); SbxFlagBits nFlags = static_cast<SbxFlagBits>(nFlagsTmp); @@ -297,7 +297,7 @@ void SbxInfo::LoadData( SvStream& rStrm, sal_uInt16 nVer ) rStrm.ReadUInt32( nHelpId ).ReadUInt16( nParam ); while( nParam-- ) { - sal_uInt16 nType, nFlagsTmp; + sal_uInt16 nType(0), nFlagsTmp(0); sal_uInt32 nUserData = 0; OUString aName = read_uInt16_lenPrefixed_uInt8s_ToOUString(rStrm, RTL_TEXTENCODING_ASCII_US); |