diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 10:26:15 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 12:02:48 +0000 |
| commit | e5e13192f3ce677daf6edaaebcb50bad9e24e05a (patch) | |
| tree | d78712df9d7c420320c7f306753c87a390c4a6b2 /editeng | |
| parent | 41029bcdd094b516bb4f4926fca18ce60092a013 (diff) | |
coverity#1242632 Untrusted loop bound
Change-Id: Ib821adfbca149091d4fbe52d05837e232c3caf55
Diffstat (limited to 'editeng')
| -rw-r--r-- | editeng/source/editeng/editobj.cxx | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/editeng/source/editeng/editobj.cxx b/editeng/source/editeng/editobj.cxx index 9c1da0e83a65..b100bd47299d 100644 --- a/editeng/source/editeng/editobj.cxx +++ b/editeng/source/editeng/editobj.cxx @@ -1266,9 +1266,18 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) rtl_TextEncoding eSrcEncoding = GetSOLoadTextEncoding( (rtl_TextEncoding)nCharSet ); // The number of paragraphs ... - sal_uInt16 nParagraphs; + sal_uInt16 nParagraphs(0); rIStream.ReadUInt16( nParagraphs ); + const size_t nMinParaRecordSize = 6 + eSrcEncoding == RTL_TEXTENCODING_UNICODE ? 4 : 2; + const size_t nMaxParaRecords = rIStream.remainingSize() / nMinParaRecordSize; + if (nParagraphs > nMaxParaRecords) + { + SAL_WARN("editeng", "Parsing error: " << nMaxParaRecords << + " max possible entries, but " << nParagraphs<< " claimed, truncating"); + nParagraphs = nMaxParaRecords; + } + // The individual paragraphs ... for ( sal_uLong nPara = 0; nPara < nParagraphs; nPara++ ) { @@ -1280,7 +1289,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) // StyleName and Family... pC->GetStyle() = rIStream.ReadUniOrByteString(eSrcEncoding); - sal_uInt16 nStyleFamily; + sal_uInt16 nStyleFamily(0); rIStream.ReadUInt16( nStyleFamily ); pC->GetFamily() = (SfxStyleFamily)nStyleFamily; |