diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2019-11-17 19:30:32 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2019-11-19 22:16:50 +0100 |
| commit | 03fe7f500f2ccfa5e6a41ad1c9b6b1d7d4403887 (patch) | |
| tree | e5f24e31a7863fb8fb6017a3e05b9843a3ad49c2 /sc | |
| parent | c5e5afbb4e0a7ac41ba4d70d4c9aeb5daa35205c (diff) | |
cid#1448453 Untrusted value as argument
Change-Id: I41a2f30df22b54e51acb593f340cb1ecf1c497b6
Reviewed-on: https://gerrit.libreoffice.org/83037
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'sc')
| -rw-r--r-- | sc/source/filter/excel/xistring.cxx | 11 | ||||
| -rw-r--r-- | sc/source/filter/inc/xistream.hxx | 4 |
2 files changed, 15 insertions, 0 deletions
diff --git a/sc/source/filter/excel/xistring.cxx b/sc/source/filter/excel/xistring.cxx index 096507ba8351..80b2e5140c21 100644 --- a/sc/source/filter/excel/xistring.cxx +++ b/sc/source/filter/excel/xistring.cxx @@ -113,6 +113,17 @@ void XclImpString::ReadFormats( XclImpStream& rStrm, XclFormatRunVec& rFormats ) void XclImpString::ReadFormats( XclImpStream& rStrm, XclFormatRunVec& rFormats, sal_uInt16 nRunCount ) { rFormats.clear(); + + size_t nElementSize = rStrm.GetRoot().GetBiff() == EXC_BIFF8 ? 4 : 2; + size_t nAvailableBytes = rStrm.GetRecLeft(); + size_t nMaxElements = nAvailableBytes / nElementSize; + if (nRunCount > nMaxElements) + { + SAL_WARN("sc.filter", "XclImpString::ReadFormats - more formats claimed than stream could contain"); + rStrm.SetSvStreamError(SVSTREAM_FILEFORMAT_ERROR); + return; + } + rFormats.reserve( nRunCount ); /* #i33341# real life -- same character index may occur several times -> use AppendFormat() to validate formats */ diff --git a/sc/source/filter/inc/xistream.hxx b/sc/source/filter/inc/xistream.hxx index 15cde8c9a911..855ff2c3219c 100644 --- a/sc/source/filter/inc/xistream.hxx +++ b/sc/source/filter/inc/xistream.hxx @@ -466,6 +466,10 @@ public: /** Restores stream position contained in rPos. */ void RestorePosition( const XclImpStreamPos& rPos ); + /** Set an SVSTREAM_..._ERROR. */ + void SetSvStreamError( const ErrCode& rErrCode ) + { mrStrm.SetError( rErrCode ); } + private: /** Seeks to next raw record header and reads record ID and size. @descr This is a "raw" function, means that stream members are |