diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2021-03-31 20:14:07 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2021-04-01 11:35:14 +0200 |
| commit | 7e22869694a7a1dd66d68e262727e64cc4dd6384 (patch) | |
| tree | eb72c6caff2470728eaa776200c53945ef036131 | |
| parent | 903902f826129705f1fafc5583a13be645e145b5 (diff) | |
cid#1473732 Untrusted loop bound
and
cid#1474044 Untrusted loop bound
Change-Id: If30dc454d60adca11fd1a53ecf472555e328bd42
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/113441
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
| -rw-r--r-- | basic/source/sbx/sbxarray.cxx | 12 | ||||
| -rw-r--r-- | sc/source/filter/excel/xltoolbar.cxx | 11 |
2 files changed, 13 insertions, 10 deletions
diff --git a/basic/source/sbx/sbxarray.cxx b/basic/source/sbx/sbxarray.cxx index 4f5a9fd3cfb0..06774acddc00 100644 --- a/basic/source/sbx/sbxarray.cxx +++ b/basic/source/sbx/sbxarray.cxx @@ -531,20 +531,22 @@ SbxVariable* SbxDimArray::Get( SbxArray* pPar ) bool SbxDimArray::LoadData( SvStream& rStrm, sal_uInt16 nVer ) { - short nDimension(0); - rStrm.ReadInt16( nDimension ); + short nTmp(0); + rStrm.ReadInt16(nTmp); - if (nDimension > 0) + if (nTmp > 0) { + auto nDimension = o3tl::make_unsigned(nTmp); + const size_t nMinRecordSize = 4; const size_t nMaxPossibleRecords = rStrm.remainingSize() / nMinRecordSize; - if (o3tl::make_unsigned(nDimension) > nMaxPossibleRecords) + if (nDimension > nMaxPossibleRecords) { SAL_WARN("basic", "SbxDimArray::LoadData more entries claimed than stream could contain"); return false; } - for (short i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i) + for (decltype(nDimension) i = 0; i < nDimension && rStrm.GetError() == ERRCODE_NONE; ++i) { sal_Int16 lb(0), ub(0); rStrm.ReadInt16( lb ).ReadInt16( ub ); diff --git a/sc/source/filter/excel/xltoolbar.cxx b/sc/source/filter/excel/xltoolbar.cxx index acf6d8339f20..c4178ccafea1 100644 --- a/sc/source/filter/excel/xltoolbar.cxx +++ b/sc/source/filter/excel/xltoolbar.cxx @@ -100,19 +100,20 @@ bool ScCTB::Read( SvStream &rS ) } rS.ReadUInt32( ectbid ); - sal_Int16 nIndexes = tb.getcCL(); - - if (nIndexes > 0) + sal_Int16 nCL = tb.getcCL(); + if (nCL > 0) { + auto nIndexes = o3tl::make_unsigned(nCL); + const size_t nMinRecordSize = 11; // ScTBC's TBCHeader reads min 11 bytes const size_t nMaxPossibleRecords = rS.remainingSize() / nMinRecordSize; - if (o3tl::make_unsigned(nIndexes) > nMaxPossibleRecords) + if (nIndexes > nMaxPossibleRecords) { SAL_WARN("sc.filter", "ScCTB::Read more entries claimed than stream could contain"); return false; } - for ( sal_Int16 index = 0; index < nIndexes; ++index ) + for (decltype(nIndexes) index = 0; index < nIndexes; ++index) { ScTBC aTBC; aTBC.Read( rS ); |