diff options
author | Norbert Thiebaud <nthiebaud@gmail.com> | 2014-07-04 20:30:59 +0200 |
---|---|---|
committer | Norbert Thiebaud <nthiebaud@gmail.com> | 2014-07-04 20:30:59 +0200 |
commit | e18e2b174c6bcf8ed5c5a6d3c88e84f31f2f375a (patch) | |
tree | 16abb4589f46d66bfdad70b7c0a1d913df0b0b95 /registry | |
parent | 1c053e7eb3dd08d1971450844dfdf61e7ddfae6a (diff) |
coverity#1213422 Tainted Scalar
Change-Id: I87e845f346fda225127e3439e768b31a8eb93be3
Diffstat (limited to 'registry')
-rw-r--r-- | registry/source/keyimpl.cxx | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/registry/source/keyimpl.cxx b/registry/source/keyimpl.cxx index 38fa3bbd81d2..52c26425541b 100644 --- a/registry/source/keyimpl.cxx +++ b/registry/source/keyimpl.cxx @@ -707,6 +707,15 @@ RegError ORegKey::getLongListValue(const OUString& valueName, sal_Int32** pValue rtl_freeMemory(pBuffer); + /* check for 'reasonable' value */ + /* surely 10 millions entry in a registry list should be enough */ + if(valueSize > 40000000) + { + pValueList = NULL; + *pLen = 0; + rtl_freeMemory(pBuffer); + return REG_INVALID_VALUE; + } pBuffer = (sal_uInt8*)rtl_allocateMemory(valueSize); if ( rValue.readAt(VALUE_HEADEROFFSET, pBuffer, valueSize, readBytes) ) @@ -727,12 +736,20 @@ RegError ORegKey::getLongListValue(const OUString& valueName, sal_Int32** pValue sal_uInt32 len = 0; readUINT32(pBuffer, len); + /* make sure the declared size of the arry is consistant with the amount of data we have read */ + if(len > (valueSize - 4) / 4) + { + pValueList = NULL; + *pLen = 0; + rtl_freeMemory(pBuffer); + return REG_INVALID_VALUE; + } *pLen = len; sal_Int32* pVList = (sal_Int32*)rtl_allocateZeroMemory(len * sizeof(sal_Int32)); sal_uInt32 offset = 4; // initial 4 Bytes fuer die Laenge des Arrays; - for (sal_uInt32 i=0; i < len; i++) + for (sal_uInt32 i = 0; i < len; i++) { readINT32(pBuffer+offset, pVList[i]); offset += 4; |