diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2015-02-02 10:17:54 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2015-02-02 10:57:20 +0000 |
| commit | b6420535b0bbbaf6db97c2cc1cedd15150d24258 (patch) | |
| tree | ab69fb7528d27d8101a1837a050e73b77e06fea8 /sw | |
| parent | 28236bed527b7ceb68d3c8260ea89ee9cddbf3dc (diff) | |
coverity#1242653 Untrusted loop bound
Change-Id: Ic5f9837531bc95526bb29b4e248e413754f630be
Diffstat (limited to 'sw')
| -rw-r--r-- | sw/source/filter/ww8/ww8scan.cxx | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx index 9cbf0d67bfbb..d07d9ee745a8 100644 --- a/sw/source/filter/ww8/ww8scan.cxx +++ b/sw/source/filter/ww8/ww8scan.cxx @@ -3865,11 +3865,8 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen rStrm.ReadUInt16( nExtraLen ); - size_t nMinRecordSize = nExtraLen; - if (bUnicode) - nMinRecordSize += sizeof(sal_uInt16); - else - nMinRecordSize += sizeof(sal_uInt8); + const size_t nMinStringLen = bUnicode ? sizeof(sal_uInt16) : sizeof(sal_uInt8); + const size_t nMinRecordSize = nExtraLen + nMinStringLen; const size_t nMaxPossibleStrings = rStrm.remainingSize() / nMinRecordSize; if (nStrings > nMaxPossibleStrings) { @@ -3877,6 +3874,16 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm, sal_uInt32 nStart, sal_Int32 nLen nStrings = nMaxPossibleStrings; } + if (nExtraLen && nStrings) + { + const size_t nMaxExtraLen = (rStrm.remainingSize() - (nStrings * nMinStringLen)) / nStrings; + if (nExtraLen > nMaxExtraLen) + { + SAL_WARN("sw.ww8", "STTBF claims " << nMaxExtraLen << " extra len, but only " << nMaxExtraLen << "are possible"); + nExtraLen = nMaxExtraLen; + } + } + for (sal_uInt16 i=0; i < nStrings; ++i) { if (bUnicode) |