From 5356d06f5c3cae96c15c4da49ab31c760509d6d7 Mon Sep 17 00:00:00 2001
From: ᚉᚐᚑᚂᚐᚅ McNamara <caolanm@redhat.com>
Date: Tue, 28 Oct 2014 15:59:42 +0000
Subject: coverity#1242796 Untrusted loop bound

and throw ogham at the bugzilla bot for kicks

Change-Id: I50cdf676e59e4e966f999218837dabfdd2008b6e
---
 sc/source/filter/excel/xltoolbar.cxx | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'sc/source/filter/excel')

diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx
index 0121b21d810e..f85f455eca04 100644
--- a/sc/source/filter/excel/xltoolbar.cxx
+++ b/sc/source/filter/excel/xltoolbar.cxx
@@ -356,8 +356,16 @@ ScCTBWrapper::Read( SvStream &rS)
 {
     OSL_TRACE("ScCTBWrapper::Read() stream pos 0x%x", rS.Tell() );
     nOffSet = rS.Tell();
-    if ( !ctbSet.Read( rS ) )
+    if (!ctbSet.Read(rS))
         return false;
+
+    //ScCTB is 1 TB which is min 15bytes, nViews TBVisualData which is min 20bytes
+    //and one 32bit number (4 bytes)
+    const size_t nMinRecordSize = 39;
+    const size_t nMaxPossibleRecords = rS.remainingSize()/nMinRecordSize;
+    if (ctbSet.ctb > nMaxPossibleRecords)
+        return false;
+
     for ( sal_uInt16 index = 0; index < ctbSet.ctb; ++index )
     {
         ScCTB aCTB( ctbSet.ctbViews );
-- 
cgit