From 8fe8c2e3d4d1ab44cfa53160e309255c109251d3 Mon Sep 17 00:00:00 2001 From: Caolán McNamara Date: Fri, 14 Nov 2014 11:41:20 +0000 Subject: coverity#1242630 Untrusted loop bound Change-Id: I985f47d6e5f5aa86099b86ad4666b194f4b25b83 --- svl/source/items/macitem.cxx | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'svl') diff --git a/svl/source/items/macitem.cxx b/svl/source/items/macitem.cxx index 98e9a980da81..24c4cc72294d 100644 --- a/svl/source/items/macitem.cxx +++ b/svl/source/items/macitem.cxx @@ -100,10 +100,24 @@ SvStream& SvxMacroTableDtor::Read( SvStream& rStrm, sal_uInt16 nVersion ) { if( SVX_MACROTBL_VERSION40 <= nVersion ) rStrm.ReadUInt16( nVersion ); - short nMacro; - rStrm.ReadInt16( nMacro ); - for( short i = 0; i < nMacro; ++i ) + short nMacro(0); + rStrm.ReadInt16(nMacro); + + const size_t nMinStringSize = rStrm.GetStreamCharSet() == RTL_TEXTENCODING_UNICODE ? 4 : 2; + size_t nMinRecordSize = 2 + 2*nMinStringSize; + if( SVX_MACROTBL_VERSION40 <= nVersion ) + nMinRecordSize+=2; + + const size_t nMaxRecords = rStrm.remainingSize() / nMinRecordSize; + if (nMacro > 0 && static_cast(nMacro) > nMaxRecords) + { + SAL_WARN("editeng", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nMacro<< " claimed, truncating"); + nMacro = nMaxRecords; + } + + for (short i = 0; i < nMacro; ++i) { sal_uInt16 nCurKey, eType = STARBASIC; OUString aLibName, aMacName; -- cgit