2 files changed, 16 insertions, 4 deletions

diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx
index f531803f617a..fa2a2aa69f9a 100644
--- a/basic/source/sbx/sbxarray.cxx
+++ b/basic/source/sbx/sbxarray.cxx
@@ -531,8 +531,20 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar )
 
 bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer )
 {
-    short nDimension;
+    short nDimension(0);
     rStrm.ReadInt16( nDimension );
+
+    if (nDimension > 0)
+    {
+        const size_t nMinRecordSize = 4;
+        const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize;
+        if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords)
+        {
+            SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain");
+            return false;
+        }
+    }
+
     for( short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; i++ )
     {
         sal_Int16 lb(0), ub(0);
diff --git a/basic/source/sbx/sbxbase.cxx b/basic/source/sbx/sbxbase.cxx
index 0e057540c8bc..b57c9bdb9008 100644
--- a/basic/source/sbx/sbxbase.cxx
+++ b/basic/source/sbx/sbxbase.cxx
@@ -180,8 +180,8 @@ SbxObject* SbxBase::CreateObject( const OUString& rClass )
 
 SbxBase* SbxBase::Load( SvStream& rStrm )
 {
-    sal_uInt16 nSbxId, nFlagsTmp, nVer;
-    sal_uInt32 nCreator, nSize;
+    sal_uInt16 nSbxId(0), nFlagsTmp(0), nVer(0);
+    sal_uInt32 nCreator(0), nSize(0);
     rStrm.ReadUInt32( nCreator ).ReadUInt16( nSbxId ).ReadUInt16( nFlagsTmp ).ReadUInt16( nVer );
     SbxFlagBits nFlags = static_cast<SbxFlagBits>(nFlagsTmp);
 
@@ -297,7 +297,7 @@ void SbxInfo::LoadData( SvStream& rStrm, sal_uInt16 nVer )
     rStrm.ReadUInt32( nHelpId ).ReadUInt16( nParam );
     while( nParam-- )
     {
-        sal_uInt16 nType, nFlagsTmp;
+        sal_uInt16 nType(0), nFlagsTmp(0);
         sal_uInt32 nUserData = 0;
         OUString aName = read_uInt16_lenPrefixed_uInt8s_ToOUString(rStrm,
             RTL_TEXTENCODING_ASCII_US);