summaryrefslogtreecommitdiff
path: root/basic/source
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2021-03-29 11:00:51 +0100
committerCaolán McNamara <caolanm@redhat.com>2021-03-29 15:02:46 +0200
commite96b6f8a8c588e9cc14bf583cf9c48e693c83751 (patch)
treedc4fb5849dab3213eeb46af6e90fe70d4f899726 /basic/source
parent9a0d2378baeeb654e81af1871b4933f3a90b27e6 (diff)
cid#1474044 Untrusted loop bound
Change-Id: Ibb20ffc2219c25add421cd4803e80b15b131c93b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113306 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'basic/source')
-rw-r--r--basic/source/sbx/sbxarray.cxx14
-rw-r--r--basic/source/sbx/sbxbase.cxx6
2 files changed, 16 insertions, 4 deletions
diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx
index f531803f617a..fa2a2aa69f9a 100644
--- a/basic/source/sbx/sbxarray.cxx
+++ b/basic/source/sbx/sbxarray.cxx
@@ -531,8 +531,20 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar )
bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer )
{
- short nDimension;
+ short nDimension(0);
rStrm.ReadInt16( nDimension );
+
+ if (nDimension > 0)
+ {
+ const size_t nMinRecordSize = 4;
+ const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize;
+ if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords)
+ {
+ SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain");
+ return false;
+ }
+ }
+
for( short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; i++ )
{
sal_Int16 lb(0), ub(0);
diff --git a/basic/source/sbx/sbxbase.cxx b/basic/source/sbx/sbxbase.cxx
index 0e057540c8bc..b57c9bdb9008 100644
--- a/basic/source/sbx/sbxbase.cxx
+++ b/basic/source/sbx/sbxbase.cxx
@@ -180,8 +180,8 @@ SbxObject* SbxBase::CreateObject( const OUString& rClass )
SbxBase* SbxBase::Load( SvStream& rStrm )
{
- sal_uInt16 nSbxId, nFlagsTmp, nVer;
- sal_uInt32 nCreator, nSize;
+ sal_uInt16 nSbxId(0), nFlagsTmp(0), nVer(0);
+ sal_uInt32 nCreator(0), nSize(0);
rStrm.ReadUInt32( nCreator ).ReadUInt16( nSbxId ).ReadUInt16( nFlagsTmp ).ReadUInt16( nVer );
SbxFlagBits nFlags = static_cast<SbxFlagBits>(nFlagsTmp);
@@ -297,7 +297,7 @@ void SbxInfo::LoadData( SvStream& rStrm, sal_uInt16 nVer )
rStrm.ReadUInt32( nHelpId ).ReadUInt16( nParam );
while( nParam-- )
{
- sal_uInt16 nType, nFlagsTmp;
+ sal_uInt16 nType(0), nFlagsTmp(0);
sal_uInt32 nUserData = 0;
OUString aName = read_uInt16_lenPrefixed_uInt8s_ToOUString(rStrm,
RTL_TEXTENCODING_ASCII_US);