summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--basic/source/classes/image.cxx12
1 files changed, 10 insertions, 2 deletions
diff --git a/basic/source/classes/image.cxx b/basic/source/classes/image.cxx
index 3faabae95793..12eff1835c5b 100644
--- a/basic/source/classes/image.cxx
+++ b/basic/source/classes/image.cxx
@@ -258,8 +258,16 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
{
OUString aTypeName = r.ReadUniOrByteString(eCharSet);
- sal_Int16 nTypeMembers;
- r.ReadInt16(nTypeMembers);
+ sal_uInt16 nTypeMembers;
+ r.ReadUInt16(nTypeMembers);
+
+ const size_t nMaxTypeMembers = r.remainingSize() / 8;
+ if (nTypeMembers > nMaxTypeMembers)
+ {
+ SAL_WARN("basic", "Parsing error: " << nMaxTypeMembers <<
+ " max possible entries, but " << nTypeMembers << " claimed, truncating");
+ nTypeMembers = nMaxTypeMembers;
+ }
SbxObject *pType = new SbxObject(aTypeName);
SbxArray *pTypeMembers = pType->GetProperties();
generated by cgit (git 2.34.1) at 2025-02-05 16:00:42 +0000