cid#1473839 Untrusted loop bound

Change-Id: Iedb13791e19f635117040698e1fc45a5c1c3968d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113235
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/editeng/source/items/numitem.cxx b/editeng/source/items/numitem.cxx
index 5873cfb05781..0c48262f323f 100644
--- a/editeng/source/items/numitem.cxx
+++ b/editeng/source/items/numitem.cxx
@@ -645,6 +645,12 @@ SvxNumRule::SvxNumRule( SvStream &rStream )
     rStream.ReadUInt16( nTmp16 ); // NUM_ITEM_VERSION
     rStream.ReadUInt16( nLevelCount );
 
+    if (nLevelCount > SVX_MAX_NUM)
+    {
+        SAL_WARN("editeng", "nLevelCount: " << nLevelCount << " greater than max of: " << SVX_MAX_NUM);
+        nLevelCount = SVX_MAX_NUM;
+    }
+
     // first nFeatureFlags of old Versions
     rStream.ReadUInt16( nTmp16 ); nFeatureFlags = static_cast<SvxNumRuleFlags>(nTmp16);
     rStream.ReadUInt16( nTmp16 ); bContinuousNumbering = nTmp16;