From e5e13192f3ce677daf6edaaebcb50bad9e24e05a Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Fri, 14 Nov 2014 10:26:15 +0000 Subject: coverity#1242632 Untrusted loop bound Change-Id: Ib821adfbca149091d4fbe52d05837e232c3caf55 --- editeng/source/editeng/editobj.cxx | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'editeng') diff --git a/editeng/source/editeng/editobj.cxx b/editeng/source/editeng/editobj.cxx index 9c1da0e83a65..b100bd47299d 100644 --- a/editeng/source/editeng/editobj.cxx +++ b/editeng/source/editeng/editobj.cxx @@ -1266,9 +1266,18 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) rtl_TextEncoding eSrcEncoding = GetSOLoadTextEncoding( (rtl_TextEncoding)nCharSet ); // The number of paragraphs ... - sal_uInt16 nParagraphs; + sal_uInt16 nParagraphs(0); rIStream.ReadUInt16( nParagraphs ); + const size_t nMinParaRecordSize = 6 + eSrcEncoding == RTL_TEXTENCODING_UNICODE ? 4 : 2; + const size_t nMaxParaRecords = rIStream.remainingSize() / nMinParaRecordSize; + if (nParagraphs > nMaxParaRecords) + { + SAL_WARN("editeng", "Parsing error: " << nMaxParaRecords << + " max possible entries, but " << nParagraphs<< " claimed, truncating"); + nParagraphs = nMaxParaRecords; + } + // The individual paragraphs ... for ( sal_uLong nPara = 0; nPara < nParagraphs; nPara++ ) { @@ -1280,7 +1289,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) // StyleName and Family... pC->GetStyle() = rIStream.ReadUniOrByteString(eSrcEncoding); - sal_uInt16 nStyleFamily; + sal_uInt16 nStyleFamily(0); rIStream.ReadUInt16( nStyleFamily ); pC->GetFamily() = (SfxStyleFamily)nStyleFamily; -- cgit