diff options
author | Caolán McNamara <caolanm@redhat.com> | 2019-07-24 10:34:01 +0100 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2019-07-24 17:04:04 +0200 |
commit | a657260c419a7138971aeb0151c81dcb23df3748 (patch) | |
tree | d0f538f5006bd8daf65555194b83b606707378c0 /filter | |
parent | e622abbab580434038c117b013757885d3f0fb58 (diff) |
cid#1448519 Untrusted loop bound
Change-Id: I92952fdef3e1066082d7ba8c3befebfcb7f9adc1
Reviewed-on: https://gerrit.libreoffice.org/76242
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'filter')
-rw-r--r-- | filter/source/msfilter/dffpropset.cxx | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/filter/source/msfilter/dffpropset.cxx b/filter/source/msfilter/dffpropset.cxx index 73c0e45d64db..5b0b1194ae06 100644 --- a/filter/source/msfilter/dffpropset.cxx +++ b/filter/source/msfilter/dffpropset.cxx @@ -20,6 +20,7 @@ #include <algorithm> #include <filter/msfilter/dffpropset.hxx> #include <filter/msfilter/dffrecordheader.hxx> +#include <sal/log.hxx> #include <svx/msdffdef.hxx> #include <rtl/ustrbuf.hxx> #include <tools/stream.hxx> @@ -1109,14 +1110,22 @@ void DffPropSet::ReadPropSet( SvStream& rIn, bool bSetUninitializedOnly ) sal_uInt32 nComplexDataFilePos = rIn.Tell() + ( nPropCount * 6 ); - for( sal_uInt32 nPropNum = 0; nPropNum < nPropCount; nPropNum++ ) + const size_t nMaxPossibleRecords = rIn.remainingSize() / (sizeof(sal_uInt16) + sizeof(sal_uInt32)); + if (nPropCount > nMaxPossibleRecords) { - sal_uInt16 nTmp; - sal_uInt32 nRecType, nContent; + SAL_WARN("filter.ms", "Parsing error: " << nMaxPossibleRecords << + " max possible entries, but " << nPropCount << " claimed, truncating"); + nPropCount = nMaxPossibleRecords; + } + + for (sal_uInt32 nPropNum = 0; nPropNum < nPropCount; ++nPropNum) + { + sal_uInt16 nTmp(0); + sal_uInt32 nContent(0); rIn.ReadUInt16( nTmp ) .ReadUInt32( nContent ); - nRecType = nTmp & 0x3fff; + sal_uInt32 nRecType = nTmp & 0x3fff; if ( nRecType > 0x3ff ) break; |