coverity#1242708 Untrusted loop bound

Change-Id: Ic5af417ad38cafa46051789574239996a8845ffb
author: Caolán McNamara <caolanm@redhat.com> 2014-11-18 21:22:10 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2014-11-19 09:12:43 +0000
commit: 05362fd2dbb481b735e8b7e97288d842a6e3ec0b (patch)
tree: 3fb0cbe67decd6764caca2e9be78f355e4d48cac /sc
parent: 772a36932e4803beaffdad87200e0162e1020e94 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/sc/source/filter/excel/xilink.cxx b/sc/source/filter/excel/xilink.cxx
index 52e8a5ae9141..51da063dec35 100644
--- a/sc/source/filter/excel/xilink.cxx
+++ b/sc/source/filter/excel/xilink.cxx
@@ -272,6 +272,17 @@ XclImpExtName::MOper::MOper(svl::SharedStringPool& rPool, XclImpStream& rStrm) :
 {
     SCSIZE nLastCol = rStrm.ReaduInt8();
     SCSIZE nLastRow = rStrm.ReaduInt16();
+
+    //assuming worse case scenario of nOp + one byte unistring len
+    const size_t nMinRecordSize = 2;
+    const size_t nMaxRows = rStrm.GetRecLeft() / (nMinRecordSize * (nLastCol+1));
+    if (nLastRow >= nMaxRows)
+    {
+        SAL_WARN("sc", "Parsing error: " << nMaxRows <<
+                 " max possible rows, but " << nLastRow << " index claimed, truncating");
+        nLastRow = nMaxRows-1;
+    }
+
     mxCached->Resize(nLastCol+1, nLastRow+1);
     for (SCSIZE nRow = 0; nRow <= nLastRow; ++nRow)
     {
author	Caolán McNamara <caolanm@redhat.com>	2014-11-18 21:22:10 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2014-11-19 09:12:43 +0000
commit	05362fd2dbb481b735e8b7e97288d842a6e3ec0b (patch)
tree	3fb0cbe67decd6764caca2e9be78f355e4d48cac /sc
parent	772a36932e4803beaffdad87200e0162e1020e94 (diff)