2 files changed, 49 insertions, 0 deletions

diff --git a/sw/source/filter/html/htmltab.cxx b/sw/source/filter/html/htmltab.cxx
index 178121062d1a..b80020e80e8a 100644
--- a/sw/source/filter/html/htmltab.cxx
+++ b/sw/source/filter/html/htmltab.cxx
@@ -30,6 +30,7 @@
 #include <editeng/lrspitem.hxx>
 #include <editeng/formatbreakitem.hxx>
 #include <editeng/spltitem.hxx>
+#include <unotools/configmgr.hxx>
 #include <svtools/htmltokn.h>
 #include <svtools/htmlkywd.hxx>
 #include <svl/urihelper.hxx>
@@ -2857,9 +2858,19 @@ CellSaveStruct::CellSaveStruct( SwHTMLParser& rParser, HTMLTable const *pCurTabl
                 break;
             case HtmlOptionId::COLSPAN:
                 m_nColSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                if (m_nColSpan > 256)
+                {
+                    SAL_INFO("sw.html", "ignoring huge COLSPAN " << m_nColSpan);
+                    m_nColSpan = 1;
+                }
                 break;
             case HtmlOptionId::ROWSPAN:
                 m_nRowSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                if (m_nRowSpan > 8192 || (m_nRowSpan > 256 && utl::ConfigManager::IsFuzzing()))
+                {
+                    SAL_INFO("sw.html", "ignoring huge ROWSPAN " << m_nRowSpan);
+                    m_nRowSpan = 1;
+                }
                 break;
             case HtmlOptionId::ALIGN:
                 m_eAdjust = rOption.GetEnum( aHTMLPAlignTable, m_eAdjust );
@@ -4265,6 +4276,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable *pCurTable,
                     break;
                 case HtmlOptionId::SPAN:
                     pSaveStruct->nColGrpSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                    if (pSaveStruct->nColGrpSpan > 256)
+                    {
+                        SAL_INFO("sw.html", "ignoring huge SPAN " << pSaveStruct->nColGrpSpan);
+                        pSaveStruct->nColGrpSpan = 1;
+                    }
                     break;
                 case HtmlOptionId::WIDTH:
                     pSaveStruct->nColGrpWidth = static_cast<sal_uInt16>(rOption.GetNumber());
@@ -4347,6 +4363,11 @@ void SwHTMLParser::BuildTableColGroup( HTMLTable *pCurTable,
                         break;
                     case HtmlOptionId::SPAN:
                         nColSpan = static_cast<sal_uInt16>(rOption.GetNumber());
+                        if (nColSpan > 256)
+                        {
+                            SAL_INFO("sw.html", "ignoring huge SPAN " << nColSpan);
+                            nColSpan = 1;
+                        }
                         break;
                     case HtmlOptionId::WIDTH:
                         nColWidth = static_cast<sal_uInt16>(rOption.GetNumber());
diff --git a/sw/source/filter/xml/xmltbli.cxx b/sw/source/filter/xml/xmltbli.cxx
index 1ec745d907ce..bb4e532b8e37 100644
--- a/sw/source/filter/xml/xmltbli.cxx
+++ b/sw/source/filter/xml/xmltbli.cxx
@@ -27,6 +27,7 @@
 #include <svl/itemset.hxx>
 #include <svl/zformat.hxx>
 #include <sax/tools/converter.hxx>
+#include <unotools/configmgr.hxx>
 #include <xmloff/xmlnmspe.hxx>
 #include <xmloff/xmltkmap.hxx>
 #include <xmloff/nmspmap.hxx>
@@ -471,12 +472,27 @@ SwXMLTableCellContext_Impl::SwXMLTableCellContext_Impl(
             break;
         case XML_TOK_TABLE_NUM_COLS_SPANNED:
             nColSpan = static_cast<sal_uInt32>(std::max<sal_Int32>(1, rValue.toInt32()));
+            if (nColSpan > 256)
+            {
+                SAL_INFO("sw.xml", "ignoring huge table:number-columns-spanned " << nColSpan);
+                nColSpan = 1;
+            }
             break;
         case XML_TOK_TABLE_NUM_ROWS_SPANNED:
             nRowSpan = static_cast<sal_uInt32>(std::max<sal_Int32>(1, rValue.toInt32()));
+            if (nRowSpan > 8192 || (nRowSpan > 256 && utl::ConfigManager::IsFuzzing()))
+            {
+                SAL_INFO("sw.xml", "ignoring huge table:number-rows-spanned " << nRowSpan);
+                nRowSpan = 1;
+            }
             break;
         case XML_TOK_TABLE_NUM_COLS_REPEATED:
             nColRepeat = static_cast<sal_uInt32>(std::max<sal_Int32>(1, rValue.toInt32()));
+            if (nColRepeat > 256)
+            {
+                SAL_INFO("sw.xml", "ignoring huge table:number-columns-repeated " << nColRepeat);
+                nColRepeat = 1;
+            }
             break;
         case XML_TOK_TABLE_FORMULA:
             {
@@ -751,7 +767,14 @@ SwXMLTableColContext_Impl::SwXMLTableColContext_Impl(
             if( IsXMLToken( aLocalName, XML_STYLE_NAME ) )
                 aStyleName = rValue;
             else if( IsXMLToken( aLocalName, XML_NUMBER_COLUMNS_REPEATED ) )
+            {
                 nColRep = static_cast<sal_uInt32>(std::max<sal_Int32>(1, rValue.toInt32()));
+                if (nColRep > 256)
+                {
+                    SAL_INFO("sw.xml", "ignoring huge table:number-columns-repeated " << nColRep);
+                    nColRep = 1;
+                }
+            }
             else if( IsXMLToken( aLocalName, XML_DEFAULT_CELL_STYLE_NAME ) )
                 aDfltCellStyleName = rValue;
         }
@@ -892,6 +915,11 @@ SwXMLTableRowContext_Impl::SwXMLTableRowContext_Impl( SwXMLImport& rImport,
             else if( IsXMLToken( aLocalName, XML_NUMBER_ROWS_REPEATED ) )
             {
                 nRowRepeat = static_cast<sal_uInt32>(std::max<sal_Int32>(1, rValue.toInt32()));
+                if (nRowRepeat > 8192 || (nRowRepeat > 256 && utl::ConfigManager::IsFuzzing()))
+                {
+                    SAL_INFO("sw.xml", "ignoring huge table:number-rows-repeated " << nRowRepeat);
+                    nRowRepeat = 1;
+                }
             }
             else if( IsXMLToken( aLocalName, XML_DEFAULT_CELL_STYLE_NAME ) )
             {