summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2014-11-05 17:22:36 +0000
committerCaolán McNamara <caolanm@redhat.com>2014-11-05 21:03:26 +0000
commitff1aae469f6521b67e51c9e77415ba847eed69e8 (patch)
tree605c4fe31d4f48cb08e5ff4151b14eed94bcef09
parenteee29076a141d200b8ce6b2792c698bbbfb80118 (diff)
coverity#1242614 Untrusted loop bound
Change-Id: I913e14d30d54b4b370c14017b0702005c23c4fc4
-rw-r--r--sc/source/core/data/documen8.cxx16
1 files changed, 14 insertions, 2 deletions
diff --git a/sc/source/core/data/documen8.cxx b/sc/source/core/data/documen8.cxx
index f6132be7b9e8..ee3bd90cf4aa 100644
--- a/sc/source/core/data/documen8.cxx
+++ b/sc/source/core/data/documen8.cxx
@@ -757,9 +757,21 @@ void ScDocument::LoadDdeLinks(SvStream& rStream)
ScMultipleReadHeader aHdr( rStream );
- sal_uInt16 nCount;
+ sal_uInt16 nCount(0);
rStream.ReadUInt16( nCount );
- for (sal_uInt16 i=0; i<nCount; i++)
+
+ const rtl_TextEncoding eCharSet = rStream.GetStreamCharSet();
+ const size_t nMinStringSize = eCharSet == RTL_TEXTENCODING_UNICODE ? sizeof(sal_uInt32) : sizeof(sal_uInt16);
+ const size_t nMinRecordSize = 1 + nMinStringSize*3;
+ const size_t nMaxRecords = rStream.remainingSize() / nMinRecordSize;
+ if (nCount > nMaxRecords)
+ {
+ SAL_WARN("sc", "Parsing error: " << nMaxRecords <<
+ " max possible entries, but " << nCount << " claimed, truncating");
+ nCount = nMaxRecords;
+ }
+
+ for (sal_uInt16 i=0; i<nCount; ++i)
{
ScDdeLink* pLink = new ScDdeLink( this, rStream, aHdr );
pMgr->InsertDDELink(pLink, pLink->GetAppl(), pLink->GetTopic(), pLink->GetItem());