coverity#1242796 Untrusted loop bound

and throw ogham at the bugzilla bot for kicks Change-Id: I50cdf676e59e4e966f999218837dabfdd2008b6e
author: ᚉᚐᚑᚂᚐᚅ McNamara <caolanm@redhat.com> 2014-10-28 15:59:42 +0000
committer: ᚉᚐᚑᚂᚐᚅ McNamara <caolanm@redhat.com> 2014-10-28 16:04:48 +0000
commit: 5356d06f5c3cae96c15c4da49ab31c760509d6d7 (patch)
tree: 42b00127889198e549bab7cd5af2ec13bf929673 /sc/source/filter/excel
parent: 6cee94ba6b224399e5a4a2511df39d3118454c83 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx
index 0121b21d810e..f85f455eca04 100644
--- a/sc/source/filter/excel/xltoolbar.cxx
+++ b/sc/source/filter/excel/xltoolbar.cxx
@@ -356,8 +356,16 @@ ScCTBWrapper::Read( SvStream &rS)
 {
     OSL_TRACE("ScCTBWrapper::Read() stream pos 0x%x", rS.Tell() );
     nOffSet = rS.Tell();
-    if ( !ctbSet.Read( rS ) )
+    if (!ctbSet.Read(rS))
         return false;
+
+    //ScCTB is 1 TB which is min 15bytes, nViews TBVisualData which is min 20bytes
+    //and one 32bit number (4 bytes)
+    const size_t nMinRecordSize = 39;
+    const size_t nMaxPossibleRecords = rS.remainingSize()/nMinRecordSize;
+    if (ctbSet.ctb > nMaxPossibleRecords)
+        return false;
+
     for ( sal_uInt16 index = 0; index < ctbSet.ctb; ++index )
     {
         ScCTB aCTB( ctbSet.ctbViews );
author	ᚉᚐᚑᚂᚐᚅ McNamara <caolanm@redhat.com>	2014-10-28 15:59:42 +0000
committer	ᚉᚐᚑᚂᚐᚅ McNamara <caolanm@redhat.com>	2014-10-28 16:04:48 +0000
commit	5356d06f5c3cae96c15c4da49ab31c760509d6d7 (patch)
tree	42b00127889198e549bab7cd5af2ec13bf929673 /sc/source/filter/excel
parent	6cee94ba6b224399e5a4a2511df39d3118454c83 (diff)