cid#1474269 Untrusted allocation size

Change-Id: I655c86be306a0300e9ec8404040eeb58d0579cb4 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/117916 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2021-06-25 20:34:00 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2021-06-26 15:17:08 +0200
commit: 532946bc3cc9f21605dfe271db292bf4ab9d6f1d (patch)
tree: be384a8829986aad7ffab222c33cf1dc003db745 /sc
parent: f537dcc2485f6e0d577797a5850f417f180cca3a (diff)
3 files changed, 29 insertions, 12 deletions
diff --git a/sc/source/filter/excel/xiescher.cxx b/sc/source/filter/excel/xiescher.cxx
index c928ac37cf29..9b8d33f31d7d 100644
--- a/sc/source/filter/excel/xiescher.cxx
+++ b/sc/source/filter/excel/xiescher.cxx
@@ -2017,9 +2017,9 @@ void XclImpControlHelper::DoProcessControl( ScfPropertySet& ) const
 void XclImpControlHelper::ReadRangeList( ScRangeList& rScRanges, XclImpStream& rStrm )
 {
     XclTokenArray aXclTokArr;
-    aXclTokArr.ReadSize( rStrm );
+    sal_uInt16 nSize = XclTokenArray::ReadSize(rStrm);
     rStrm.Ignore( 4 );
-    aXclTokArr.ReadArray( rStrm );
+    aXclTokArr.ReadArray(nSize, rStrm);
     mrRoot.GetFormulaCompiler().CreateRangeList( rScRanges, EXC_FMLATYPE_CONTROL, aXclTokArr, rStrm );
 }
 
diff --git a/sc/source/filter/excel/xlformula.cxx b/sc/source/filter/excel/xlformula.cxx
index 8f176ab72921..1f974f47b38b 100644
--- a/sc/source/filter/excel/xlformula.cxx
+++ b/sc/source/filter/excel/xlformula.cxx
@@ -738,22 +738,39 @@ sal_uInt16 XclTokenArray::GetSize() const
     return limit_cast< sal_uInt16 >( maTokVec.size() );
 }
 
-void XclTokenArray::ReadSize( XclImpStream& rStrm )
+sal_uInt16 XclTokenArray::ReadSize(XclImpStream& rStrm)
 {
-    sal_uInt16 nSize = rStrm.ReaduInt16();
-    maTokVec.resize( nSize );
+    return rStrm.ReaduInt16();
 }
 
-void XclTokenArray::ReadArray( XclImpStream& rStrm )
+void XclTokenArray::ReadArray(sal_uInt16 nSize, XclImpStream& rStrm)
 {
-    if( !maTokVec.empty() )
-        rStrm.Read(maTokVec.data(), GetSize());
+    maTokVec.resize(0);
+
+    const std::size_t nMaxBuffer = 4096;
+    std::size_t nBytesLeft = nSize;
+    std::size_t nTotalRead = 0;
+
+    while (true)
+    {
+        if (!nBytesLeft)
+            break;
+        std::size_t nReadRequest = o3tl::sanitizing_min(nBytesLeft, nMaxBuffer);
+        maTokVec.resize(maTokVec.size() + nReadRequest);
+        auto nRead = rStrm.Read(maTokVec.data() + nTotalRead, nReadRequest);
+        nTotalRead += nRead;
+        if (nRead != nReadRequest)
+        {
+            maTokVec.resize(nTotalRead);
+            break;
+        }
+        nBytesLeft -= nRead;
+    }
 }
 
 void XclTokenArray::Read( XclImpStream& rStrm )
 {
-    ReadSize( rStrm );
-    ReadArray( rStrm );
+    ReadArray(ReadSize(rStrm), rStrm);
 }
 
 void XclTokenArray::WriteSize( XclExpStream& rStrm ) const
diff --git a/sc/source/filter/inc/xlformula.hxx b/sc/source/filter/inc/xlformula.hxx
index fae4ec282a83..43f220bd64c7 100644
--- a/sc/source/filter/inc/xlformula.hxx
+++ b/sc/source/filter/inc/xlformula.hxx
@@ -391,9 +391,9 @@ public:
     bool         IsVolatile() const { return mbVolatile; }
 
     /** Reads the size field of the token array. */
-    void                ReadSize( XclImpStream& rStrm );
+    static sal_uInt16   ReadSize(XclImpStream& rStrm);
     /** Reads the tokens of the token array (without size field). */
-    void                ReadArray( XclImpStream& rStrm );
+    void                ReadArray(sal_uInt16 nSize, XclImpStream& rStrm);
     /** Reads size field and the tokens. */
     void                Read( XclImpStream& rStrm );
author	Caolán McNamara <caolanm@redhat.com>	2021-06-25 20:34:00 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2021-06-26 15:17:08 +0200
commit	532946bc3cc9f21605dfe271db292bf4ab9d6f1d (patch)
tree	be384a8829986aad7ffab222c33cf1dc003db745 /sc
parent	f537dcc2485f6e0d577797a5850f417f180cca3a (diff)