coverity#1242865 Untrusted loop bound

Change-Id: I9dc9cd98d0a02a2867d4c40c7afb7bf873513143
author: Caolán McNamara <caolanm@redhat.com> 2014-11-05 16:33:55 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2014-11-05 21:03:24 +0000
commit: 1409c0bd884ffc2c9fb656fe61ac62d759bc436d (patch)
tree: d6ad79ccf7290357281e6f3b8a1eda76d48d0778 /basic
parent: 5b0c95d81eb4c311d80aabaa1cfe16bc1b426111 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/basic/source/classes/image.cxx b/basic/source/classes/image.cxx
index 7a15cce28548..1543caec5cac 100644
--- a/basic/source/classes/image.cxx
+++ b/basic/source/classes/image.cxx
@@ -156,7 +156,16 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
             }
             case B_EXTSOURCE:
             {
-                for( sal_uInt16 j = 0 ; j < nCount ; j++ )
+                //assuming an empty string with just the lead 32bit/16bit len indicator
+                const size_t nMinStringSize = (eCharSet == RTL_TEXTENCODING_UNICODE) ? 4 : 2;
+                const size_t nMaxStrings = r.remainingSize() / nMinStringSize;
+                if (nCount > nMaxStrings)
+                {
+                    SAL_WARN("basic", "Parsing error: " << nMaxStrings <<
+                             " max possible entries, but " << nCount << " claimed, truncating");
+                    nCount = nMaxStrings;
+                }
+                for( sal_uInt16 j = 0; j < nCount; ++j)
                 {
                     aOUSource += r.ReadUniOrByteString(eCharSet);
                 }
author	Caolán McNamara <caolanm@redhat.com>	2014-11-05 16:33:55 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2014-11-05 21:03:24 +0000
commit	1409c0bd884ffc2c9fb656fe61ac62d759bc436d (patch)
tree	d6ad79ccf7290357281e6f3b8a1eda76d48d0778 /basic
parent	5b0c95d81eb4c311d80aabaa1cfe16bc1b426111 (diff)