diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2021-03-31 20:14:07 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2021-04-01 11:35:14 +0200 |
| commit | 7e22869694a7a1dd66d68e262727e64cc4dd6384 (patch) | |
| tree | eb72c6caff2470728eaa776200c53945ef036131 /basic | |
| parent | 903902f826129705f1fafc5583a13be645e145b5 (diff) | |
cid#1473732 Untrusted loop bound
and
cid#1474044 Untrusted loop bound
Change-Id: If30dc454d60adca11fd1a53ecf472555e328bd42
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113441
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'basic')
| -rw-r--r-- | basic/source/sbx/sbxarray.cxx | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx index 4f5a9fd3cfb0..06774acddc00 100644 --- a/basic/source/sbx/sbxarray.cxx +++ b/basic/source/sbx/sbxarray.cxx @@ -531,20 +531,22 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar ) bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer ) { - short nDimension(0); - rStrm.ReadInt16( nDimension ); + short nTmp(0); + rStrm.ReadInt16(nTmp); - if (nDimension > 0) + if (nTmp > 0) { + auto nDimension = o3tl::make_unsigned(nTmp); + const size_t nMinRecordSize = 4; const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize; - if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords) + if (nDimension > nMaxPossibleRecords) { SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain"); return false; } - for (short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i) + for (decltype(nDimension) i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i) { sal_Int16 lb(0), ub(0); rStrm.ReadInt16( lb ).ReadInt16( ub ); |