From 0f83c393d34e879a6fadcc21faad5e9d3835637b Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Mon, 17 Nov 2014 12:05:06 +0000
Subject: coverity#1242810 Untrusted loop bound

Change-Id: I457f0f92dc32630e52efbb2bd068208a8570c5d0
---
 svl/source/items/itemset.cxx | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'svl')

diff --git a/svl/source/items/itemset.cxx b/svl/source/items/itemset.cxx
index eb5ffaa4522e..9dc809f6c7f8 100644
--- a/svl/source/items/itemset.cxx
+++ b/svl/source/items/itemset.cxx
@@ -1487,6 +1487,16 @@ SvStream &SfxItemSet::Load
     // Load Item count and as many Items
     sal_uInt16 nCount = 0;
     rStream.ReadUInt16( nCount );
+
+    const size_t nMinRecordSize = sizeof(sal_uInt16) * 2;
+    const size_t nMaxRecords = rStream.remainingSize() / nMinRecordSize;
+    if (nCount > nMaxRecords)
+    {
+        SAL_WARN("svl", "Parsing error: " << nMaxRecords <<
+                 " max possible entries, but " << nCount << " claimed, truncating");
+        nCount = nMaxRecords;
+    }
+
     for ( sal_uInt16 i = 0; i < nCount; ++i )
     {
         // Load Surrogate/Item and resolve Surrogate
-- 
cgit