diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-11-05 16:59:13 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-11-05 21:03:26 +0000 |
| commit | eee29076a141d200b8ce6b2792c698bbbfb80118 (patch) | |
| tree | 11d4a4396e9788a4e8002bb6429140edb4d5ad76 | |
| parent | 712d781538880d96a511d0b1323283a4112c93cc (diff) | |
coverity#1242632 Untrusted loop bound
Change-Id: I4ec2e1a21a6a27c31c3308a5f72dbdcb33a62f39
| -rw-r--r-- | editeng/source/editeng/editobj.cxx | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/editeng/source/editeng/editobj.cxx b/editeng/source/editeng/editobj.cxx index 33ecb675a2df..9c1da0e83a65 100644 --- a/editeng/source/editeng/editobj.cxx +++ b/editeng/source/editeng/editobj.cxx @@ -1288,17 +1288,25 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) pC->GetParaAttribs().Load( rIStream ); // The number of attributes ... - sal_uInt16 nTmp16; + sal_uInt16 nTmp16(0); rIStream.ReadUInt16( nTmp16 ); size_t nAttribs = nTmp16; + const size_t nMinRecordSize(10); + const size_t nMaxRecords = rIStream.remainingSize() / nMinRecordSize; + if (nAttribs > nMaxRecords) + { + SAL_WARN("editeng", "Parsing error: " << nMaxRecords << + " max possible entries, but " << nAttribs << " claimed, truncating"); + nAttribs = nMaxRecords; + } + // And the individual attributes // Items as Surregate => always 8 bytes per Attributes // Which = 2; Surregat = 2; Start = 2; End = 2; - size_t nAttr; - for (nAttr = 0; nAttr < nAttribs; ++nAttr) + for (size_t nAttr = 0; nAttr < nAttribs; ++nAttr) { - sal_uInt16 _nWhich, nStart, nEnd; + sal_uInt16 _nWhich(0), nStart(0), nEnd(0); const SfxPoolItem* pItem; rIStream.ReadUInt16( _nWhich ); @@ -1345,7 +1353,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream ) } } - for (nAttr = pC->aAttribs.size(); nAttr; ) + for (size_t nAttr = pC->aAttribs.size(); nAttr; ) { const XEditAttribute& rAttr = pC->aAttribs[--nAttr]; if ( rAttr.GetItem()->Which() == EE_CHAR_FONTINFO ) |