coverity#1242632 Use of untrusted scalar value

Change-Id: I91b8505fdbd4ebc77a76279b8c6476daf422319f
author: Caolán McNamara <caolanm@redhat.com> 2015-02-02 10:09:26 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2015-02-02 10:57:19 +0000
commit: 28236bed527b7ceb68d3c8260ea89ee9cddbf3dc (patch)
tree: e91e418af589f96c41f33527ed0193b620076b57 /editeng
parent: dcad3ac445980740b6a39761cdd1f1bd0b3e6e34 (diff)
1 files changed, 24 insertions, 6 deletions
diff --git a/editeng/source/editeng/editobj.cxx b/editeng/source/editeng/editobj.cxx
index bf316c71b2fe..ea20882d99d0 100644
--- a/editeng/source/editeng/editobj.cxx
+++ b/editeng/source/editeng/editobj.cxx
@@ -1483,7 +1483,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream )
 
     if ( nVersion >= 601 )
     {
-        bool bTmp;
+        bool bTmp(false);
         rIStream.ReadCharAsBool( bTmp );
         bVertical = bTmp;
     }
@@ -1492,28 +1492,46 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream )
     {
         rIStream.ReadUInt16( nScriptType );
 
-        bool bUnicodeStrings;
+        bool bUnicodeStrings(false);
         rIStream.ReadCharAsBool( bUnicodeStrings );
         if ( bUnicodeStrings )
         {
-            for ( sal_uInt16 nPara = 0; nPara < nParagraphs; nPara++ )
+            for (sal_uInt16 nPara = 0; nPara < nParagraphs; ++nPara)
             {
                 ContentInfo& rC = aContents[nPara];
-                sal_uInt16 nL;
+                sal_uInt16 nL(0);
 
                 // Text
-                rIStream.ReadUInt16( nL );
-                if ( nL )
+                rIStream.ReadUInt16(nL);
+                if (nL)
                 {
+                    size_t nMaxElementsPossible = rIStream.remainingSize() / sizeof(sal_Unicode);
+                    if (nL > nMaxElementsPossible)
+                    {
+                        SAL_WARN("editeng", "Parsing error: " << nMaxElementsPossible <<
+                                 " max possible entries, but " << nL << " claimed, truncating");
+                        nL = nMaxElementsPossible;
+                    }
+
                     rtl_uString *pStr = rtl_uString_alloc(nL);
                     rIStream.Read(pStr->buffer, nL*sizeof(sal_Unicode));
                     rC.SetText((OUString(pStr, SAL_NO_ACQUIRE)));
+
+                    nL = 0;
                 }
 
                 // StyleSheetName
                 rIStream.ReadUInt16( nL );
                 if ( nL )
                 {
+                    size_t nMaxElementsPossible = rIStream.remainingSize() / sizeof(sal_Unicode);
+                    if (nL > nMaxElementsPossible)
+                    {
+                        SAL_WARN("editeng", "Parsing error: " << nMaxElementsPossible <<
+                                 " max possible entries, but " << nL << " claimed, truncating");
+                        nL = nMaxElementsPossible;
+                    }
+
                     rtl_uString *pStr = rtl_uString_alloc(nL);
                     rIStream.Read(pStr->buffer, nL*sizeof(sal_Unicode) );
                     rC.GetStyle() = OUString(pStr, SAL_NO_ACQUIRE);
author	Caolán McNamara <caolanm@redhat.com>	2015-02-02 10:09:26 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2015-02-02 10:57:19 +0000
commit	28236bed527b7ceb68d3c8260ea89ee9cddbf3dc (patch)
tree	e91e418af589f96c41f33527ed0193b620076b57 /editeng
parent	dcad3ac445980740b6a39761cdd1f1bd0b3e6e34 (diff)