diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 11:41:20 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-11-14 12:02:51 +0000 |
| commit | 8fe8c2e3d4d1ab44cfa53160e309255c109251d3 (patch) | |
| tree | a3b9ced2cc2439c7ca1013e82d7852b30873cd27 /svl | |
| parent | 8e6c22d74933c7157e083e97d56106b36a166559 (diff) | |
coverity#1242630 Untrusted loop bound
Change-Id: I985f47d6e5f5aa86099b86ad4666b194f4b25b83
Diffstat (limited to 'svl')
| -rw-r--r-- | svl/source/items/macitem.cxx | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/svl/source/items/macitem.cxx b/svl/source/items/macitem.cxx index 98e9a980da81..24c4cc72294d 100644 --- a/svl/source/items/macitem.cxx +++ b/svl/source/items/macitem.cxx @@ -100,10 +100,24 @@ SvStream& SvxMacroTableDtor::Read( SvStream& rStrm, sal_uInt16 nVersion ) { if( SVX_MACROTBL_VERSION40 <= nVersion ) rStrm.ReadUInt16( nVersion ); - short nMacro; - rStrm.ReadInt16( nMacro ); - for( short i = 0; i < nMacro; ++i ) + short nMacro(0); + rStrm.ReadInt16(nMacro); + + const size_t nMinStringSize = rStrm.GetStreamCharSet() == RTL_TEXTENCODING_UNICODE ? 4 : 2; + size_t nMinRecordSize = 2 + 2*nMinStringSize; + if( SVX_MACROTBL_VERSION40 <= nVersion ) + nMinRecordSize+=2; + + const size_t nMaxRecords = rStrm.remainingSize() / nMinRecordSize; + if (nMacro > 0 && static_cast<size_t>(nMacro) > nMaxRecords) + { + SAL_WARN("editeng", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nMacro<< " claimed, truncating"); + nMacro = nMaxRecords; + } + + for (short i = 0; i < nMacro; ++i) { sal_uInt16 nCurKey, eType = STARBASIC; OUString aLibName, aMacName; |