From ac68cab1f1e6991bc95fe482f4d9be1538b827c4 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Tue, 14 Oct 2014 15:21:27 +0100
Subject: coverity#1242739 Untrusted loop bound

and

coverity#1242739 Untrusted loop bound

Change-Id: I2cab9b3c531befc42c1522dd0d4beb59df7ae315
---
 lotuswordpro/source/filter/lwpdrawobj.cxx | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'lotuswordpro/source/filter')

diff --git a/lotuswordpro/source/filter/lwpdrawobj.cxx b/lotuswordpro/source/filter/lwpdrawobj.cxx
index 4ae627918441..2ca16adec056 100644
--- a/lotuswordpro/source/filter/lwpdrawobj.cxx
+++ b/lotuswordpro/source/filter/lwpdrawobj.cxx
@@ -1209,10 +1209,14 @@ void LwpDrawTextArt::Read()
     sal_uInt16 nPointNumber;
     sal_Int16 nX, nY;
     m_pStream->ReadUInt16( nPointNumber );
+
+    size_t nPoints = nPointNumber*3+1;
+    if (nPoints > m_pStream->remainingSize() / 4)
+        throw BadRead();
+
     m_aTextArtRec.aPath[0].n = nPointNumber;
-    m_aTextArtRec.aPath[0].pPts = new SdwPoint [nPointNumber*3+1];
-    sal_uInt16 nPt = 0;
-    for ( nPt = 0; nPt <= nPointNumber*3; nPt++)
+    m_aTextArtRec.aPath[0].pPts = new SdwPoint[nPoints];
+    for (size_t nPt = 0; nPt < nPoints; ++nPt)
     {
         m_pStream->ReadInt16( nX );
         m_pStream->ReadInt16( nY );
@@ -1221,9 +1225,14 @@ void LwpDrawTextArt::Read()
     }
 
     m_pStream->ReadUInt16( nPointNumber );
+
+    nPoints = nPointNumber*3+1;
+    if (nPoints > m_pStream->remainingSize() / 4)
+        throw BadRead();
+
     m_aTextArtRec.aPath[1].n = nPointNumber;
-    m_aTextArtRec.aPath[1].pPts = new SdwPoint [nPointNumber*3+1];
-    for (nPt = 0; nPt <= nPointNumber*3; nPt++)
+    m_aTextArtRec.aPath[1].pPts = new SdwPoint[nPoints];
+    for (size_t nPt = 0; nPt < nPoints; ++nPt)
     {
         m_pStream->ReadInt16( nX );
         m_pStream->ReadInt16( nY );
@@ -1251,6 +1260,10 @@ void LwpDrawTextArt::Read()
                                                     - (m_aTextArtRec.aPath[0].n*3 + 1)*4
                                                     - (m_aTextArtRec.aPath[1].n*3 + 1)*4;
 
+
+    if (m_aTextArtRec.nTextLen > m_pStream->remainingSize())
+        throw BadRead();
+
     m_aTextArtRec.pTextString = new sal_uInt8 [m_aTextArtRec.nTextLen];
     m_pStream->Read(m_aTextArtRec.pTextString, m_aTextArtRec.nTextLen);
     m_aTextArtRec.pTextString[m_aTextArtRec.nTextLen-1] = 0;
-- 
cgit