coverity#1242865 Untrusted loop bound

Change-Id: I9332fa9b805e702fb56067efc308aff09310f603
author: Caolán McNamara <caolanm@redhat.com> 2015-09-01 09:25:54 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2015-09-01 09:40:21 +0100
commit: 79f060d45122ac108de8482d44af17a82ee1c48d (patch)
tree: 3a49ebd38f80ab2749043acb296077bfa9675fad
parent: 5b8e4f3d676eb0a026ce1eb4c1df2ec6e0736cb1 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/basic/source/classes/image.cxx b/basic/source/classes/image.cxx
index 3faabae95793..12eff1835c5b 100644
--- a/basic/source/classes/image.cxx
+++ b/basic/source/classes/image.cxx
@@ -258,8 +258,16 @@ bool SbiImage::Load( SvStream& r, sal_uInt32& nVersion )
                 {
                     OUString aTypeName = r.ReadUniOrByteString(eCharSet);
 
-                    sal_Int16 nTypeMembers;
-                    r.ReadInt16(nTypeMembers);
+                    sal_uInt16 nTypeMembers;
+                    r.ReadUInt16(nTypeMembers);
+
+                    const size_t nMaxTypeMembers = r.remainingSize() / 8;
+                    if (nTypeMembers > nMaxTypeMembers)
+                    {
+                        SAL_WARN("basic", "Parsing error: " << nMaxTypeMembers <<
+                                 " max possible entries, but " << nTypeMembers << " claimed, truncating");
+                        nTypeMembers = nMaxTypeMembers;
+                    }
 
                     SbxObject *pType = new SbxObject(aTypeName);
                     SbxArray *pTypeMembers = pType->GetProperties();
author	Caolán McNamara <caolanm@redhat.com>	2015-09-01 09:25:54 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2015-09-01 09:40:21 +0100
commit	79f060d45122ac108de8482d44af17a82ee1c48d (patch)
tree	3a49ebd38f80ab2749043acb296077bfa9675fad
parent	5b8e4f3d676eb0a026ce1eb4c1df2ec6e0736cb1 (diff)